Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3066
Views
0
Helpful
2
Replies

Site to Site VPN filter

Go to solution
Phil Bradley
Level 4
Level 4

‎02-03-2016 02:03 PM

I have configured a site to site VPN and I cannot seem to get the VPN filter to work. I have followed this document:

http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf

I have created an ACL and then created an ACE with only the traffic that I want to permit. I then went to the site to site group policy and applied this filter. However I can still ping the remote network from a client that shouldn't be allowed. Remote network is 192.168.2.0/24.Here is my partial config:

access-list Test extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.2
access-list Test extended deny ip any any

group-policy Test internal
group-policy Test attributes
vpn-filter value Test

tunnel-group Test_tunnel type ipsec-l2l
tunnel-group Test_tunnel general-attributes
default-group-policy Test

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Diego Lopez
Level 1
Level 1

‎02-03-2016 06:23 PM

Hello,

First I want to clarify that the name of the tunnel group used for a site to site tunnel should be the ip address of the peer "at least for static l2l tunnels" that is the tunnel-g were you need to apply this "Test" group policy the filter configuration looks fine but you need to make sure that you apply the group policy accordingly.Now once you apply the group policy to the correct tunnel-g you need to bounce the tunnel otherwise the new filter will not take affect, you can use the command "clear crypto ipsec sa peer x.x.x.x" generate some traffic and bring up the tunnel again once is up it should have the filter.

If you apply it properly and bounce the tunnel it is going to work.

You can check if the filter is applied using the command "show vpn-sessiondb detail l2l" and look for the ACL name

Regards, please rate. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Diego Lopez
Level 1
Level 1

‎02-03-2016 06:23 PM

Hello,

First I want to clarify that the name of the tunnel group used for a site to site tunnel should be the ip address of the peer "at least for static l2l tunnels" that is the tunnel-g were you need to apply this "Test" group policy the filter configuration looks fine but you need to make sure that you apply the group policy accordingly.Now once you apply the group policy to the correct tunnel-g you need to bounce the tunnel otherwise the new filter will not take affect, you can use the command "clear crypto ipsec sa peer x.x.x.x" generate some traffic and bring up the tunnel again once is up it should have the filter.

If you apply it properly and bounce the tunnel it is going to work.

You can check if the filter is applied using the command "show vpn-sessiondb detail l2l" and look for the ACL name

Regards, please rate. 

0 Helpful

Go to solution
Phil Bradley
Level 4
Level 4
In response to Diego Lopez

‎02-03-2016 07:17 PM

Hi Diego,

I just put in example values and my site to site tunnel group name is actually the ip peer address. The bouncing of the tunnel fixed the issue. Thanks!

0 Helpful
Customers Also Viewed These Support Documents