Remote administration of VPN clients

Discussion in 'Cisco' started by Dave, Jul 4, 2007.

  1. Dave

    Dave Guest

    Hi all,

    Not sure if this is the group to post in but here goes!

    My organisation uses a Cisco asa5500 device to provide VPN client
    termination. All is working well but it would be really useful to be
    able to remotely administer our users using a tool such as VNC. We are
    using the ASDM GUI to administer the VPN Group Policy.

    We have set up a group policy which determines what network services
    our VPN users are able to access. These are defined using filters
    defined using a filter ACL. The ACL entries have the format:

    Source Host/Network = VPN pool range
    Destination Host/Network = Private LAN addresses (e.g. Proxy server)
    Source port = any
    Destination port = required service port (e.g. 8080 for proxy access)

    I assumed that by reversing this we could define an ACL entry to allow
    remote administration of the VPN clients. For example for VNC:

    Source Host/Network = Private LAN addresses (e.g. VNC viewer PC)
    Destination Host/Network = VPN pool range
    Source port = any
    Destination port = required service port (e.g. 5900 for VNC)

    However, the above ACL entry is never matched and the connection is
    denied.

    Do Cisco 5500 devices allow connections to be made from the private
    (inside) interface to the VPN (outside) clients? Without a filter on
    the group policy a connection can be made so it must be a rule issue
    rather than an implicit denial of all inside to outside traffic.

    Below is the message from the ASDM monitor:

    ....109025: Authorization denied (acl=user_cs_vpn) for user '<unknown>'
    from 'private address'/2388 to 'VPN client pool address'/5900 on
    interface inside using TCP

    This appears to have the exact format of the configured ACL entry.

    Any help would be appreciated.


    Cheers,

    Dave
     
    Dave, Jul 4, 2007
    #1
    1. Advertisements

  2. Dave

    Dave Guest

    Hi,

    If anyone is interested I got a TACS call resolution for this issue.

    Rather than reverse the source and destination network entries I
    needed to swap the source and destination ports.

    So to allow an incoming connection to the VPN client the following is
    used:

    Source Host/Network = VPN pool range
    Destination Host/Network = Private LAN addresses (e.g. VNC viewer PC)
    Source port = required service port (e.g. 5900 for VNC)
    Destination port = any

    Seems a bit odd but it does the trick.

    Cheers,

    Dave
     
    Dave, Jul 13, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.