Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cisco AnyConnect blocks port forwarding from tunnel to LAN over pfsense

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 783 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mare
      last edited by

      Hello,

      I have a pfsense as home router.

      I work on a first PC #1 connected to some VPN with Cisco Anyconnect and I have enabled the "Allow LAN access" option. LAN is 192.168.1.0/24

      The second, remote PC #2 is connected via OpenVPN to my pfsense router and is assigned a tunnel IP on 10.0.8.0/24

      I have successfully forwarded some TCP and UDP ports from PC #1 over pfsense to PC#2. (Could not do otherwise as AnyConnect on PC#1 blocks access to tunnel network where PC#2 is).

      However, I have trouble routing an UDP Port in other direction - from PC#2 over pfsense to PC#1. I did everything according to the manual, enabled NAT reflection (https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html) etc.

      The states debugging shows everything correctly, the forwarding works and I can receive data on PC #1 BUT ONLY UNTIL I connect to the Cisco AnyConnect VPN. As soon as I connect the Cisco Anyconnect, I am unable to receive anything.

      Interestingly, I can circumvent this apparent Cisco AnyConnect blockade if I forward UDP traffic from pfsense to some third PC on LAN and forward it from there back again to PC#1.

      How does Cisco AnyConnect on PC#1 know that I am routing this traffic and that the original source is not on LAN? Why does additional routing over auxillary LAN PC work? Will it help if I change the IP of pfsense router to something else as 192.168.1.1?

      This is the States diagnostics screenshot from pfsense. It is the same with or without Cisco VPN connection:
      f117ca6e-d561-41e0-a589-3cef0aaad9c3-image.png

      1 Reply Last reply Reply Quote 0
      • M
        mare
        last edited by

        Still no answers?

        Is it possible to set up a Virtual IP on LAN, which would replace the "third PC" in OP and forward ports from pfsense -> Virtual IP -> destination 192.168.1.10 ?

        I tried this with "IP Alias" and "CARP Virtual IP" but port forwarding does not work.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.