cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3195
Views
0
Helpful
2
Replies

Site to Site VPN filter

Phil Bradley
Level 4
Level 4

I have configured a site to site VPN and I cannot seem to get the VPN filter to work. I have followed this document:

http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf

I have created an ACL and then created an ACE with only the traffic that I want to permit. I then went to the site to site group policy and applied this filter. However I can still ping the remote network from a client that shouldn't be allowed. Remote network is 192.168.2.0/24.Here is my partial config:

access-list Test extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.2
access-list Test extended deny ip any any

group-policy Test internal
group-policy Test attributes
vpn-filter value Test

tunnel-group Test_tunnel type ipsec-l2l
tunnel-group Test_tunnel general-attributes
default-group-policy Test

1 Accepted Solution

Accepted Solutions

Diego Lopez
Level 1
Level 1

Hello,

First I want to clarify that the name of the tunnel group used for a site to site tunnel should be the ip address of the peer "at least for static l2l tunnels" that is the tunnel-g were you need to apply this "Test" group policy the filter configuration looks fine but you need to make sure that you apply the group policy accordingly.Now once you apply the group policy to the correct tunnel-g you need to bounce the tunnel otherwise the new filter will not take affect, you can use the command "clear crypto ipsec sa peer x.x.x.x" generate some traffic and bring up the tunnel again once is up it should have the filter.

If you apply it properly and bounce the tunnel it is going to work.

You can check if the filter is applied using the command "show vpn-sessiondb detail l2l" and look for the ACL name

Regards, please rate. 

View solution in original post

2 Replies 2

Diego Lopez
Level 1
Level 1

Hello,

First I want to clarify that the name of the tunnel group used for a site to site tunnel should be the ip address of the peer "at least for static l2l tunnels" that is the tunnel-g were you need to apply this "Test" group policy the filter configuration looks fine but you need to make sure that you apply the group policy accordingly.Now once you apply the group policy to the correct tunnel-g you need to bounce the tunnel otherwise the new filter will not take affect, you can use the command "clear crypto ipsec sa peer x.x.x.x" generate some traffic and bring up the tunnel again once is up it should have the filter.

If you apply it properly and bounce the tunnel it is going to work.

You can check if the filter is applied using the command "show vpn-sessiondb detail l2l" and look for the ACL name

Regards, please rate. 

Hi Diego,

I just put in example values and my site to site tunnel group name is actually the ip peer address. The bouncing of the tunnel fixed the issue. Thanks!