08-15-2013 01:05 PM
I have a customer who utilizes Cisco's VPN "AnyConnect". Currently they allow vendors to use the VPN on the guest network which is only captive portal username/login. They are denying internal networks, but using "allowall" below the deny in the firewall rules. Users can successfully connect to the guest network and access the internet, but they cannot launch their VPN client.
Could the deny-internal-network rule be causing the issue?
If not are there additional firewall rules (ports to allow, addresses to allow)
I also tried adding a rule to allow the specific IP address for the user in the Guest role for the VPN server 184.108.40.206 255.255.255.0, but I received an error stating "invalid ipaddress/subnet mask"
Thanks for the help!
Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
08-15-2013 01:56 PM
I would use "show datapath session table <ip address of that client>" to see what gets denied. It is possible that the VPN client is using an internal DNS server or something.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
08-15-2013 02:11 PM
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).