Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
4
Helpful
4
Replies

VPN Cannot Access Internal Resource - ACL Issue?

aBITtooTALL68
Level 1
Level 1

‎10-03-2024 01:45 PM

 

Hello,

I have been working on setting up an external VPN for global protect. The VPN is able to access internet but won't allow me to access internal resources. After speaking with PaloAlto's support team in depth we were not able to find any issues with the VPN configuration and security/nat policies. It was suggested to me to look at the ACL lists in cisco's core but I am having trouble understanding if the IP configured is allowed through or not. Any help would be greatly appreciated.

Current IP/subnet I need allowed into the network is 10.25.0.0/24.

Below is the current access-list configuration:

Standard IP access list 20
    10 permit 10.5.1.0, wildcard bits 0.0.0.255
Standard IP access list 90
    10 permit 10.20.1.0, wildcard bits 0.0.0.255
    20 permit 10.10.2.0, wildcard bits 0.0.0.255 (23214382 matches)
    30 permit 10.5.1.0, wildcard bits 0.0.0.255
Standard IP access list VPN
    10 permit 10.5.1.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit ip 172.0.0.0 0.255.255.255 any
Extended IP access list 150
    10 permit tcp any any eq 443
Extended IP access list 171
    10 permit udp any eq bootpc any eq bootps log
    20 permit tcp 172.31.1.0 0.0.0.255 any eq 885 log
    30 deny ip 172.31.1.0 0.0.0.255 10.0.0.0 0.255.255.255 log
    40 deny ip 172.31.1.0 0.0.0.255 192.168.0.0 0.0.255.255 log
    50 deny ip 172.31.1.0 0.0.0.255 172.16.0.0 0.0.15.255 log
    60 permit ip 172.31.1.0 0.0.0.255 any
    70 permit tcp 172.31.2.0 0.0.0.255 any eq 885 log
    80 deny ip 172.31.2.0 0.0.0.255 10.0.0.0 0.255.255.255 log
    90 deny ip 172.31.2.0 0.0.0.255 192.168.0.0 0.0.255.255 log
    100 deny ip 172.31.2.0 0.0.0.255 172.16.0.0 0.0.15.255 log
    110 permit ip 172.31.2.0 0.0.0.255 any
Extended IP access list 192
    10 deny ip host 10.20.1.7 any
    20 deny ip any 10.0.0.0 0.255.255.255
    30 deny ip any 192.168.0.0 0.0.255.255
    40 deny ip any 172.16.0.0 0.0.15.255
    50 permit tcp 10.210.0.0 0.0.3.255 any eq 443
    60 permit tcp 10.210.0.0 0.0.3.255 any eq www
Extended IP access list 195
    10 deny ip any host 10.20.1.7
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 192.168.0.0 0.0.255.255 any
    40 deny ip 172.16.0.0 0.0.15.255 any
    50 permit tcp any 10.210.0.0 0.0.3.255 eq 443
    60 permit tcp any 10.210.0.0 0.0.3.255 eq www
Extended IP access list BLOCKWLC
    10 permit ip host 10.10.1.55 host 10.1.0.103
    11 permit ip host 10.10.1.55 any
    12 permit ip host 10.210.5.59 host 10.1.0.104
    15 permit ip host 10.210.5.169 host 10.1.0.103
    16 permit ip 10.210.0.0 0.0.0.31 any
    17 permit ip 10.210.0.32 0.0.0.31 any
    20 permit ip host 10.10.1.55 host 10.1.0.104
    100 deny ip any host 10.1.0.103
    101 deny ip any host 10.1.0.104
    111 permit ip 10.5.1.0 0.0.0.255 any
Extended IP access list IP-Adm-V4-Int-ACL-global
Extended IP access list implicit_deny
    10 deny ip any any
Extended IP access list implicit_permit
    10 permit ip any any
Extended IP access list meraki-fqdn-dns
Extended IP access list preauth_v4
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
IPv6 access list implicit_deny_v6
    deny ipv6 any any sequence 10
IPv6 access list implicit_permit_v6
    permit ipv6 any any sequence 10
IPv6 access list preauth_v6
    permit udp any any eq domain sequence 10
    permit tcp any any eq domain sequence 20
    permit icmp any any nd-ns sequence 30
    permit icmp any any nd-na sequence 40
    permit icmp any any router-solicitation sequence 50
    permit icmp any any router-advertisement sequence 60
    permit icmp any any redirect sequence 70
    permit udp any eq 547 any eq 546 sequence 80
    permit udp any eq 546 any eq 547 sequence 90
    deny ipv6 any any sequence 100

--

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-03-2024 01:54 PM

This shows your access list, but what device is this, where is this ACL applied you need to look at how the traffic coming in or out.

i do not see any ACL have defined specific to that /24 address space, may be it matching different rule with super net to deny i guess.,

how is your network diagram looks like where this host resides ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda
VIP
VIP

‎10-03-2024 02:01 PM - edited ‎10-03-2024 02:01 PM

@aBITtooTALL68 

 The network  10.25.0.0 is definitively not permited anywhere on this ACL.

aBITtooTALL68
Level 1
Level 1
In response to Flavio Miranda

‎10-03-2024 04:06 PM

Thank you Flavio, I really appreciate your eyes on the config. That is
absolutely the reason why our VPN traffic is not hitting internal
resources.

I'm not sure how to go about allowing the subnet into the whole network
(vpn will be for management only). Any further advice would be greatly
appreciated.

MHM Cisco World
VIP
VIP
In response to aBITtooTALL68

‎10-05-2024 06:40 AM

we can not answer you if we dont the topology and where you apply these ACL 

can you share this info here 

MHM

0 Helpful
Customers Also Viewed These Support Documents