Hi Guys
I have vpn profile for users which has a vpn ACL applied to it on a cisco ASA 5520.
Currently all my rules specific the source as vpn network range (provided by the DHCP on asa) to any destination.
Example being the ability to print, so the ACL specifies source: vpnNetworkRange destination: PrintServer Service: ldp
However I have implemented a management server that needs to manage clients on the vpnNetworkRange.
The server sits on a different network off the same ASA.
In the vpnACL I have specified source: ManagementServer destination: vpnNetworkRange and the required service, icmp as an example.
However when I am on the management server I still cannot ping any clients on the vpnnetworkrange.
I get the error in the log
accees-list vpnACL denied icmp for user '<unknown>' ServerNetwork/ManagementServer(8) - > vpninterface/vpnNetworkRange(0) hit-cnt 1 first hit..
What is wierd is that if I allow the following in the vpnACL
source: vpnNetworkRange destination: ManagementServer service: IP.
The management server is then able to connect, however this rule is not secure as it effectively allows clients on the vpnNetworkrange to access my management server.
Kind Regards
Mohamed