Not sure if this is the group to post in but here goes!
My organisation uses a Cisco asa5500 device to provide VPN client termination. All is working well but it would be really useful to be able to remotely administer our users using a tool such as VNC. We are using the ASDM GUI to administer the VPN Group Policy.
We have set up a group policy which determines what network services our VPN users are able to access. These are defined using filters defined using a filter ACL. The ACL entries have the format:
Source Host/Network = VPN pool range Destination Host/Network = Private LAN addresses (e.g. Proxy server) Source port = any Destination port = required service port (e.g. 8080 for proxy access)
I assumed that by reversing this we could define an ACL entry to allow remote administration of the VPN clients. For example for VNC:
Source Host/Network = Private LAN addresses (e.g. VNC viewer PC) Destination Host/Network = VPN pool range Source port = any Destination port = required service port (e.g. 5900 for VNC)
However, the above ACL entry is never matched and the connection is denied.
Do Cisco 5500 devices allow connections to be made from the private (inside) interface to the VPN (outside) clients? Without a filter on the group policy a connection can be made so it must be a rule issue rather than an implicit denial of all inside to outside traffic.
Below is the message from the ASDM monitor:
...109025: Authorization denied (acl=user_cs_vpn) for user '' from 'private address'/2388 to 'VPN client pool address'/5900 on interface inside using TCP
This appears to have the exact format of the configured ACL entry.
Any help would be appreciated.