02-03-2016 02:03 PM
I have configured a site to site VPN and I cannot seem to get the VPN filter to work. I have followed this document:
http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf
I have created an ACL and then created an ACE with only the traffic that I want to permit. I then went to the site to site group policy and applied this filter. However I can still ping the remote network from a client that shouldn't be allowed. Remote network is 192.168.2.0/24.Here is my partial config:
access-list Test extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.2
access-list Test extended deny ip any any
group-policy Test internal
group-policy Test attributes
vpn-filter value Test
tunnel-group Test_tunnel type ipsec-l2l
tunnel-group Test_tunnel general-attributes
default-group-policy Test
Solved! Go to Solution.
02-03-2016 06:23 PM
Hello,
First I want to clarify that the name of the tunnel group used for a site to site tunnel should be the ip address of the peer "at least for static l2l tunnels" that is the tunnel-g were you need to apply this "Test" group policy the filter configuration looks fine but you need to make sure that you apply the group policy accordingly.Now once you apply the group policy to the correct tunnel-g you need to bounce the tunnel otherwise the new filter will not take affect, you can use the command "clear crypto ipsec sa peer x.x.x.x" generate some traffic and bring up the tunnel again once is up it should have the filter.
If you apply it properly and bounce the tunnel it is going to work.
You can check if the filter is applied using the command "show vpn-sessiondb detail l2l" and look for the ACL name
Regards, please rate.
02-03-2016 06:23 PM
Hello,
First I want to clarify that the name of the tunnel group used for a site to site tunnel should be the ip address of the peer "at least for static l2l tunnels" that is the tunnel-g were you need to apply this "Test" group policy the filter configuration looks fine but you need to make sure that you apply the group policy accordingly.Now once you apply the group policy to the correct tunnel-g you need to bounce the tunnel otherwise the new filter will not take affect, you can use the command "clear crypto ipsec sa peer x.x.x.x" generate some traffic and bring up the tunnel again once is up it should have the filter.
If you apply it properly and bounce the tunnel it is going to work.
You can check if the filter is applied using the command "show vpn-sessiondb detail l2l" and look for the ACL name
Regards, please rate.
02-03-2016 07:17 PM
Hi Diego,
I just put in example values and my site to site tunnel group name is actually the ip peer address. The bouncing of the tunnel fixed the issue. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide