Hi Javier

Yes I am defining the VPN filter in group policy on a connection profile

In that ACL I have specified the access requirements for VPN users i.e file access and printer access to print servers.

What I would like i to allow access into the vpn tunnel as I have a management server that needs tcp/5900 and tcp/3283

Ok, so we need to make sure we have a good understanding of how the VPN filter works:

1- VPN filters check inbound connections.

So:

Local network: 192.168.1.0/24

Remote network: 192.168.2.0/24

To allow RDP on the VPN filter:

In case the remote site is initiating the TCP connection to your servers on port 3389.

access-list VPN_FILTER permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 3389

In case the local site is initiating the TCP connection to the remote servers on port 3389.

access-list VPN_FILTER permit tcp 192.168.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0

Let me know.

Thanks.

Please rate any post you find useful.

Hi Javier

Sorry did not quite understand the above.

I am mainly using the ASDM, in the group policy I have applied the IPv4 filter using an ACL that i created to specifiy required access for outbound vpn connections.

The problem is defining inbound connections to the VPN range...

In the vpn filter I have specified to allow access from management server into vpn network.. but in the logs I see that it is denied getting denied by the vpn filter each time it tries to initiate a remote session into a user who is vpned

At this point I would need to check out your settings.

Could you please include the following?

1- group-policy, "show run group-policy xxxx"

2- The ACL used as a filter: "show access-list xxxx"

3- Local network.

4- Remote network.

5- Specific port and protocol.

6- Who initiates the connection? Local or Remote?

Thanks.

Hi Javier

1)

asa-L# show run group-policy VPN-1_1
group-policy VPN-1_1 internal
group-policy VPN-1_1 attributes
 wins-server none
 dns-server value 10.0.0.24 10.0.0.25
 vpn-filter value vpnACL
 vpn-tunnel-protocol IPSec svc webvpn
 default-domain value xxx
 msie-proxy server value 162.16.9.15:8080
 msie-proxy method use-server
 msie-proxy local-bypass enable
 webvpn
  svc ask none default svc
asa-L#

2)

asa-L# show access-list vpnACL
access-list vpnACL; 33 elements; name hash: 0x5c97374a
access-list vpnACL line 1 extended permit ip host MDM02 vpnNET 255.255.255.0 (hitcnt=0) 0x4524d9e0
access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 object-group proxy 0x21fb8071
  access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 eq 1080 (hitcnt=824) 0x9720c243
  access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 eq 8080 (hitcnt=70062) 0x67f7ae94
access-list vpnACL line 3 remark Users Printer Access to CUPS
access-list vpnACL line 4 extended permit object-group DM_INLINE_SERVICE_28 vpnNET 255.255.255.0 host il2Puppet 0x810f7ce9
  access-list vpnACL line 4 extended permit tcp vpnNET 255.255.255.0 host il2Puppet eq 631 (hitcnt=0) 0x2f725813
  access-list vpnACL line 4 extended permit udp vpnNET 255.255.255.0 host il2Puppet eq snmp (hitcnt=1) 0xf9668cab
access-list vpnACL line 5 extended permit object-group DM_INLINE_SERVICE_29 vpnNET 255.255.255.0 host MDM02 0x2276e069
  access-list vpnACL line 5 extended permit tcp vpnNET 255.255.255.0 host MDM02 eq 3283 (hitcnt=0) 0x98e6ccc6
  access-list vpnACL line 5 extended permit tcp vpnNET 255.255.255.0 host MDM02 eq 5900 (hitcnt=0) 0x53ef8d06
  access-list vpnACL line 5 extended permit udp vpnNET 255.255.255.0 host MDM02 eq 3283 (hitcnt=20) 0x9da32c32
  access-list vpnACL line 5 extended permit icmp vpnNET 255.255.255.0 host MDM02 (hitcnt=99) 0x3cbe73ab
  access-list vpnACL line 5 extended permit udp vpnNET 255.255.255.0 host MDM02 eq 5900 (hitcnt=0) 0xb8ad1340
access-list vpnACL line 6 extended permit object-group DM_INLINE_SERVICE_26 vpnNET 255.255.255.0 host AH1-SVR-CAN1 0x41cc1556
  access-list vpnACL line 6 extended permit tcp vpnNET 255.255.255.0 host AH1-SVR-CAN1 eq lpd (hitcnt=7) 0x98b74e1d
  access-list vpnACL line 6 extended permit udp vpnNET 255.255.255.0 host AH1-SVR-CAN1 eq snmp (hitcnt=14) 0x2f517698
access-list vpnACL line 7 extended permit object-group DM_INLINE_SERVICE_27 vpnNET 255.255.255.0 object-group il2AHdirsvr 0x619f3308
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq kerberos (hitcnt=0) 0x27c35d0f
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq kerberos (hitcnt=0) 0x5a508170
  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq kerberos (hitcnt=0) 0x45de38af
  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq kerberos (hitcnt=0) 0xb658a5b4
  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq domain (hitcnt=8091) 0xf1ccef4f
  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq domain (hitcnt=42074) 0xc3128476
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq ldap (hitcnt=605) 0xf5819171
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq ldap (hitcnt=936) 0x84cddf3c
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 88 (hitcnt=14) 0x61e385a6
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 88 (hitcnt=20) 0x3f738f97
  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq 88 (hitcnt=111) 0x5d3bdaa2
  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq 88 (hitcnt=461) 0xe1412727
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 549 (hitcnt=30) 0x36cecf23
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 549 (hitcnt=2) 0x993d09ef
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 548 (hitcnt=0) 0xe6575e39
  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 548 (hitcnt=15) 0xbe5ac037
  access-list vpnACL line 7 extended permit icmp vpnNET 255.255.255.0 host ldap2 (hitcnt=12) 0x07e39153
  access-list vpnACL line 7 extended permit icmp vpnNET 255.255.255.0 host ldap1 (hitcnt=3441) 0x5e0594ae
access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 object-group DM_INLINE_NETWORK_9 eq 8014 0xc797e1c2
  access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 host Syman1 eq 8014 (hitcnt=8924) 0xb1ec699c
  access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 host Syman2 eq 8014 (hitcnt=2163) 0x8250bef2
access-list vpnACL line 9 extended deny ip any any (hitcnt=30022) 0xe47d62bc
asa-L#

3) Local Network is  officeNetwork which is an interface on the ASA.. MDM02 sits in this network

4) Remote network is vpnNET

5) The connection is initiated by MDM02 into vpnNET

Im think your confusion is because a VPN-Filter uses a different logic then a "normal" ACL.

In an ACL you specify:

ACTION PROT  SOURCE-L3 SOURCE-L4 DEST-L3 DEST-L4

i.e.

permit tcp   host 1.1.1.1 gt 1023   host 2.2.2.2 eq 80

But the Logic of the VPN-Filter is:

ACTION PROT  REMOTE-L3 REMOTE-L4 LOCAL-L3 LOCAL-L4

So there is no source or destination. Every access (inbound or outbound) has to use this logic of remote and local instead of source and destination.

In ASDM that is quite complicated as the ASDM is not aware of this. For outbound connections you have to specify the real destination port (which is remote) as a source-port in ASDM, because that is what will be the remote-port.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni