cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1005
Views
3
Helpful
6
Replies

inside user initiates connection to vpn user

gsmengineer
Level 1
Level 1

Hi, couldn't solve this issue:

I have to client. A and B.

A connected via Remote Acces VPN and filter applied to it

B is inside user connected to inside interface with sec-lvl 100.

For example,

B pings A but unsuccessful

B initiates connection to A but unsuccessful

As I know from sec-lvl 100 all conn is allowed and ASA allows established connection backward. Why B is not allowed back to A

(after adding ACL to allow B to A I was succesfull)

1 Accepted Solution

Accepted Solutions

Andrew Phirsov
Level 7
Level 7

First of all, security levels don't matter when it comes to vpn-traffic - all traffic in both directions is allowed with no restrictions as long as  sysopt-connection permit vpn  is present in config (the default).

Second, when you've applied vpn-filter feature, that ACL works for traffic in both directions, i.e you have to explicitly permit traffic for both directions in that single ACL.

Those vpn-filter ACLs are kinda special ACLs, cause it's written from the perspective of remote site (client) but should include entries for both directions. You may take a look here (or anywhere else)) on how it works:

http://popravak.wordpress.com/2011/11/05/cisco-asa-vpn-filter-as-i-see-it/

View solution in original post

6 Replies 6

Kimberly Adams
Level 3
Level 3

This didn't automatically work due to the firewall is setup to block or deny traffic, until it is specifically permitted.  That is why once you add the access list it now works.

Thanks and Cheers!

Kimberly

Please remember to rate helpful posts.

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Andrew Phirsov
Level 7
Level 7

First of all, security levels don't matter when it comes to vpn-traffic - all traffic in both directions is allowed with no restrictions as long as  sysopt-connection permit vpn  is present in config (the default).

Second, when you've applied vpn-filter feature, that ACL works for traffic in both directions, i.e you have to explicitly permit traffic for both directions in that single ACL.

Those vpn-filter ACLs are kinda special ACLs, cause it's written from the perspective of remote site (client) but should include entries for both directions. You may take a look here (or anywhere else)) on how it works:

http://popravak.wordpress.com/2011/11/05/cisco-asa-vpn-filter-as-i-see-it/

THank you, as I understood, vpn-filter does not allow established connection. And we also know that established permisssion works for stateful connections. Does Remote Access VPN connection is stateful or stateless?

By the way, your answer close to my question

Thank you again

You know, I actually never had a chance to prove if it stateless or statefull, and there seems to be no information regarding this. To my understanding it's not statefull, but only allows traffic due to the entries in the vpn-filter ACL. The general logic that this ACL works for both directions. So, when, for example, you permit client to telenet to some host on the inside network, i.e. tcp any to 23, the returning packets are allowed just cause they match this ACE in the opposite direction, i.e. tcp 23 to any. And it's not statefull behavior, but just the way ACLs work. Plus, say you want to inspect ftp for the vpn-client, accessing internal ftp-server. Where  should that inspection policy  be applied in the config?  One place i can think of is the global policy, but i'm not sure it works for traffic comming from/to the tunnel. But again, i'm not sure and have to lab it first))

I want to add comment:

The VPN Filter works bi-directionally with a single ACL.

The remote       host/network is always defined at the beginning of the ACE , regardless of the       direction of the ACE (inbound or outbound).

This configuration is described in this sample configuration.

As ACL is stateful, if the traffic is allowed in one direction, then       the return traffic for that flow is automatically allowed.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

Good, thanks for the link.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: