ASA VPN Access List Issue

I have an ASA 5510 with an access list that permits traffic to a SQL sever from a few IP sources, one being the VPN pool of addresses....I have a client who is VPN'd in from a hotel, and could not access the server?  The only way to do it was to add his source IP address to the permit list?  Since my VPN pool of addresses is permitted to this server shouldn't the source IP be one from the VPN pool?

the syslog message was Source IP 166.x.x.x Description: Deny tcp src outside.....by access group outside_access_in...

This is very strange to me why it would be denying the connection from the source outside, when he is VPN'd in...I confirmed it in the ASA, and his IP on his machine was one from the VPn pool?  Any suggestions would help...
LVL 1
bbresslinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Would you post the code from the ASA if possible.  

There must be a problem between the IP pool config and the access-list somewhere.....
0
stsonlineCommented:
FYI, the reason the source is shown as outside is that whenever a VPN connection is established, it is generally coming in from the Internet, which is the outside interface. It looks weird, but that's the reason - the source is indeed on the outside interface.
0
bbresslinAuthor Commented:
The config on the ASA is massive and would take forever to scrub, but I can add some bullet points..

There is an access list on the outside interface allowing traffic from a few specific ip addresses to this particular server....A single public IP from another remote site, and the VPN pool of addresses...since "technically" the VPN pool of addresses aren't attached to the outside interface of the firewall, would the access list be blocking access to the app server on the outside since the traffic is coming from an IP address not being allowed on the outside interface?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

MikeKaneCommented:
Is the source IP 166.x.x.x part of your pool?    

Is your client vpn running a split tunnel config?   IS the traffic from the client coming across the vpn or the public net?  

Is there an access list applied to the inside interface in either direction?    Is the vpn pool on nonat?
0
bbresslinAuthor Commented:
166 is not part of the pool....VPN client is running split tunneling....traffic from client is coming across remote access VPN....VPN pool is nat exempt...
0
MikeKaneCommented:
If 166 is not in the global pool, then I would double check your split tunnel rules also.    The split tunnel may not be catching traffic destined for this server.    If its a public web server, and the client is resolving the name to a public IP (as it normally would), then the traffic probably isn't VPN'd
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbresslinAuthor Commented:
Customer is accessing via vpn, however the server is resolving to a public IP address, so it is not seeing this traffic as VPN traffic, client needed to access the server using the internal ip address rather than the name...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.