VPN IP Filters, allowing traffic from outbound source? How?

Mohamed Hamid · ‎11-22-2012

Hi Guys

I have vpn profile for users which has a vpn ACL applied to it on a cisco ASA 5520.

Currently all my rules specific the source as vpn network range (provided by the DHCP on asa) to any destination.

Example being the ability to print, so the ACL specifies source: vpnNetworkRange destination: PrintServer Service: ldp

However I have implemented a management server that needs to manage clients on the vpnNetworkRange.

The server sits on a different network off the same ASA.

In the vpnACL I have specified source: ManagementServer destination: vpnNetworkRange and the required service, icmp as an example.

However when I am on the management server I still cannot ping any clients on the vpnnetworkrange.

I get the error in the log

accees-list vpnACL denied icmp for user '<unknown>' ServerNetwork/ManagementServer(8) - > vpninterface/vpnNetworkRange(0) hit-cnt 1 first hit..

What is wierd is that if I allow the following in the vpnACL

source: vpnNetworkRange destination: ManagementServer service: IP.

The management server is then able to connect, however this rule is not secure as it effectively allows clients on the vpnNetworkrange to access my management server.

Kind Regards

Mohamed

Jouni Forss · ‎11-30-2012

Hi,

To my understanding VPN client Filter ACL is configured like any interface ACL

First specify the source (VPN Pool) and then the destination (LAN networks/hosts)

For L2L VPN the Flter ACL should be considered bi-directional. In L2L VPN Filter ACL the remote network/host address is always the source.

So I imagine permitting ICMP with the below line should do the trick

access-list permit icmp

- Jouni