Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
3
Replies

L2L VPN tunnel filter does not work as expected.

Go to solution
rizwanr74
Level 7
Level 7

‎12-11-2017 01:00 PM - edited ‎03-12-2019 04:49 AM

Hi Guys,.

 

I have strange problem with VPN filter that I have on my L2L IPSect tunnel on ASA.

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1414 host 16.19.56.60
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1414 host 16.19.56.61


works: access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1416 host 16.19.56.61
works: access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1416 host 16.19.56.60

 

When our hosts initiate traffic: 16.19.56.60 and 16.19.56.61, traffic go to destination port 1416, it works.

When remote host: 20.183.75.152 initiate traffic they come to port: 1414, it does not work.

 

I don't know what causing the issue, in the VPN port filter ACL.

 

I also tried this way, but it didn't help.

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Any thoughts.

 

Thx

Rizwan Rafeek

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to rizwanr741

‎12-12-2017 05:39 AM

Hello @rizwanr74,

 

Yes, you need to coordinate this with the Remote end in order to check what is going with the connection, i will also suggest to use this lines in the VPN Filter: 

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Let me know the results once you have them. 

 

HTH

Gio

View solution in original post

0 Helpful
3 Replies 3

Go to solution
GioGonza
Level 4
Level 4

‎12-11-2017 01:39 PM

Hello @rizwanr74

 

 

When you changed the ACL, did you bounce the VPN tunnel and tested the connection again?

 

If you make changes on the VPN Filter but you don´t bounce the tunnel, the ASA will remain with the old entries and it doesn´t show the new ones unless you start the tunnel one more time. 

 

If you already did it, run the following commands: 

 

1. Run the command, clear asp-drop

2. Place a capture for Asp-Drops, capture asp type asp-drop all

3. Perform the test and check the capture, verify if the traffic is being dropped. 

4. Run the command, show asp-drop, in order to see the reason for the Drop. 

 

HTH

Gio

0 Helpful

Go to solution
rizwanr741
Level 1
Level 1
In response to GioGonza

‎12-11-2017 06:48 PM

Hi Gio,

 

Thank for you very much for your post, appreciated.

Yes, after changing the ACL, I killed the phase 2 and phase 1.

 

About the doing the capture, I could try but it is difficult to coordination with remote system admin (Intel) to initiate traffic from remote-end.

 

I will keep you posted.

Thanks again for your input.

 

thx

Rizwan Rafeek

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to rizwanr741

‎12-12-2017 05:39 AM

Hello @rizwanr74,

 

Yes, you need to coordinate this with the Remote end in order to check what is going with the connection, i will also suggest to use this lines in the VPN Filter: 

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Let me know the results once you have them. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents