Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
3
Helpful
6
Replies

inside user initiates connection to vpn user

Go to solution
gsmengineer
Level 1
Level 1

‎03-29-2013 06:54 AM

Hi, couldn't solve this issue:

I have to client. A and B.

A connected via Remote Acces VPN and filter applied to it

B is inside user connected to inside interface with sec-lvl 100.

For example,

B pings A but unsuccessful

B initiates connection to A but unsuccessful

As I know from sec-lvl 100 all conn is allowed and ASA allows established connection backward. Why B is not allowed back to A

(after adding ACL to allow B to A I was succesfull)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-29-2013 01:46 PM

First of all, security levels don't matter when it comes to vpn-traffic - all traffic in both directions is allowed with no restrictions as long as  sysopt-connection permit vpn  is present in config (the default).

Second, when you've applied vpn-filter feature, that ACL works for traffic in both directions, i.e you have to explicitly permit traffic for both directions in that single ACL.

Those vpn-filter ACLs are kinda special ACLs, cause it's written from the perspective of remote site (client) but should include entries for both directions. You may take a look here (or anywhere else)) on how it works:

http://popravak.wordpress.com/2011/11/05/cisco-asa-vpn-filter-as-i-see-it/

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Kimberly Adams
Level 3
Level 3

‎03-29-2013 12:33 PM

This didn't automatically work due to the firewall is setup to block or deny traffic, until it is specifically permitted.  That is why once you add the access list it now works.

Thanks and Cheers!

Kimberly

Please remember to rate helpful posts.

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-29-2013 01:46 PM

First of all, security levels don't matter when it comes to vpn-traffic - all traffic in both directions is allowed with no restrictions as long as  sysopt-connection permit vpn  is present in config (the default).

Second, when you've applied vpn-filter feature, that ACL works for traffic in both directions, i.e you have to explicitly permit traffic for both directions in that single ACL.

Those vpn-filter ACLs are kinda special ACLs, cause it's written from the perspective of remote site (client) but should include entries for both directions. You may take a look here (or anywhere else)) on how it works:

http://popravak.wordpress.com/2011/11/05/cisco-asa-vpn-filter-as-i-see-it/

0 Helpful

Go to solution
gsmengineer
Level 1
Level 1
In response to Andrew Phirsov

‎03-29-2013 02:08 PM

THank you, as I understood, vpn-filter does not allow established connection. And we also know that established permisssion works for stateful connections. Does Remote Access VPN connection is stateful or stateless?

By the way, your answer close to my question

Thank you again

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to gsmengineer

‎03-30-2013 01:23 AM

You know, I actually never had a chance to prove if it stateless or statefull, and there seems to be no information regarding this. To my understanding it's not statefull, but only allows traffic due to the entries in the vpn-filter ACL. The general logic that this ACL works for both directions. So, when, for example, you permit client to telenet to some host on the inside network, i.e. tcp any to 23, the returning packets are allowed just cause they match this ACE in the opposite direction, i.e. tcp 23 to any. And it's not statefull behavior, but just the way ACLs work. Plus, say you want to inspect ftp for the vpn-client, accessing internal ftp-server. Where  should that inspection policy  be applied in the config?  One place i can think of is the global policy, but i'm not sure it works for traffic comming from/to the tunnel. But again, i'm not sure and have to lab it first))

0 Helpful

Go to solution
gsmengineer
Level 1
Level 1
In response to Andrew Phirsov

‎04-02-2013 06:36 AM

I want to add comment:

The VPN Filter works bi-directionally with a single ACL.

The remote       host/network is always defined at the beginning of the ACE , regardless of the       direction of the ACE (inbound or outbound).

This configuration is described in this sample configuration.

As ACL is stateful, if the traffic is allowed in one direction, then       the return traffic for that flow is automatically allowed.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to gsmengineer

‎04-02-2013 09:45 AM

Good, thanks for the link.

0 Helpful
Customers Also Viewed These Support Documents