Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA VPN Access List Issue

Posted on 2009-07-09
7
Medium Priority
?
256 Views
Last Modified: 2012-05-07
I have an ASA 5510 with an access list that permits traffic to a SQL sever from a few IP sources, one being the VPN pool of addresses....I have a client who is VPN'd in from a hotel, and could not access the server?  The only way to do it was to add his source IP address to the permit list?  Since my VPN pool of addresses is permitted to this server shouldn't the source IP be one from the VPN pool?

the syslog message was Source IP 166.x.x.x Description: Deny tcp src outside.....by access group outside_access_in...

This is very strange to me why it would be denying the connection from the source outside, when he is VPN'd in...I confirmed it in the ASA, and his IP on his machine was one from the VPn pool?  Any suggestions would help...
0
Comment
Question by:bbresslin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24826191
Would you post the code from the ASA if possible.  

There must be a problem between the IP pool config and the access-list somewhere.....
0
 
LVL 10

Expert Comment

by:stsonline
ID: 24826835
FYI, the reason the source is shown as outside is that whenever a VPN connection is established, it is generally coming in from the Internet, which is the outside interface. It looks weird, but that's the reason - the source is indeed on the outside interface.
0
 
LVL 1

Author Comment

by:bbresslin
ID: 24840410
The config on the ASA is massive and would take forever to scrub, but I can add some bullet points..

There is an access list on the outside interface allowing traffic from a few specific ip addresses to this particular server....A single public IP from another remote site, and the VPN pool of addresses...since "technically" the VPN pool of addresses aren't attached to the outside interface of the firewall, would the access list be blocking access to the app server on the outside since the traffic is coming from an IP address not being allowed on the outside interface?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 33

Expert Comment

by:MikeKane
ID: 24840980
Is the source IP 166.x.x.x part of your pool?    

Is your client vpn running a split tunnel config?   IS the traffic from the client coming across the vpn or the public net?  

Is there an access list applied to the inside interface in either direction?    Is the vpn pool on nonat?
0
 
LVL 1

Author Comment

by:bbresslin
ID: 24841308
166 is not part of the pool....VPN client is running split tunneling....traffic from client is coming across remote access VPN....VPN pool is nat exempt...
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 24841502
If 166 is not in the global pool, then I would double check your split tunnel rules also.    The split tunnel may not be catching traffic destined for this server.    If its a public web server, and the client is resolving the name to a public IP (as it normally would), then the traffic probably isn't VPN'd
0
 
LVL 1

Author Closing Comment

by:bbresslin
ID: 31605450
Customer is accessing via vpn, however the server is resolving to a public IP address, so it is not seeing this traffic as VPN traffic, client needed to access the server using the internal ip address rather than the name...
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question