Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
2
Replies

VPN Filter on ASA 5550 (IOS - 9.1(3)

connexccs
Level 1
Level 1

‎03-01-2016 07:16 AM - edited ‎03-03-2019 08:09 AM

I have a vpn filter applied in an inbound direction and it's working a treat. I now have a requirement for outbound traffic on the same tunnel to reach  certain devices by SSH. I can only get icmp to work through the tunnel outbound.

I realise that VPN Filters work bi-directionally and so have added the relevant NAT Excempt rules and added the relevent ACL's.

I can control ICMP traffic nicely in that if I remove it from the ACL it stops and re-ading it enabled it again.

If anybody has any ideas or has come across this before please let me know.

Labels:
0 Helpful
2 Replies 2

carlguer
Level 1
Level 1

‎03-01-2016 12:38 PM

Hi connexccs,

Have you tried setting captures on the ASA?

Placing a capture you can make sure that the traffic is actually going to the other site of the tunnel and coming back.

Regards,

- Javier -

0 Helpful

connexccs
Level 1
Level 1
In response to carlguer

‎03-04-2016 03:44 AM

Hi and thanks for getting back to me. You're right, good old Wireshark is providing somewhat of an answer....but I'm not sure why?!

If you see below I get a reply packet from ICMP but wireshark does not record a request packet from 10.21.201.56 (the machine that the packet originates from). This expalins why I can't send any other protocols over the tunnel. But why is ICMP replying when the original packet was not sent?

33 5.795817 10.11.10.30 10.21.201.56 ICMP 78 Echo (ping) reply    id=0x0001, seq=1606/17926, ttl=255

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card