Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
2
Replies

VPN 3000 and Group filters with L2TP/IPSec client connections

jvercelli
Level 1
Level 1

‎07-25-2002 06:53 AM - edited ‎02-21-2020 11:57 AM

We want to apply filters at group level for W2K clients.

The clients use the standard L2TP/IPsec connections and use the OU field inside the certificate in order to bind the group at the VPN3015.

The problem is that the group filter is able only to intercept L2TP packets (port 1701), so that it's not possible to restrict the access at application level (i.e. TCP port 23 for telnet). I suppose that the concentrator is not able to inspect the data inside the L2TP packet.

Is this correct or are there other ways to implement this, beside applying filters at interface level ?

Can anyone help me ?? Thanks in advance for any advice !

Labels:
0 Helpful
2 Replies 2

paqiu
Level 1
Level 1

‎07-25-2002 07:41 AM

Hi,

The group filter actually is happening after the packets been decrpted.

So there is no necessary to look into the L2TP or IPSEC packets to filtering the traffic.

So you still can filter the application traffic as your wish. Such as telnet, FTP, SMTP, as far as I create correct users rules and binding thoese rules into user filter. Then you can bind the filter into the group level.

Here is a good URL for setting up group filters: (No need for Radius Server, local filter will do as well)

http://www.cisco.com/warp/customer/471/filter.html

Best Regards,

0 Helpful

jvercelli
Level 1
Level 1
In response to paqiu

‎07-26-2002 03:33 AM

Hi,

Thank you for your feedback, but i have still some doubts.

I have attached a short extract of FILTERDBG in order to show what's happen at the group filter level (i've set up a forward and log for all packets).

49 07/26/2002 12:18:02.480 SEV=9 FILTERDBG/1 RPT=184

Permit In: intf 1011, filter 'Allow_only_SMTP', UDP, Src 151.24.25.133, Port 170

1, Dest 87.92.40.41, Port 1701

51 07/26/2002 12:18:02.710 SEV=9 FILTERDBG/1 RPT=185

Permit In: intf 1011, filter 'Allow_only_SMTP', UDP, Src 151.24.25.133, Port 170

1, Dest 87.92.40.41, Port 1701

As you can see, the attempts to access the SMTP port of an internal Host is interpreted by the VPN3000 only as an L2TP packet.

The same happens if i try to open other application.

If i try the same connection by means of a Cisco VPN Client, the group filter works correctly and is able to capture the SMTP Port (25).

So i have the impression that the group filter applied to L2TP/IPSec removes the IPSec/ESP Header corrcetly but is not able to remove the inner UDP Header of the L2TP packet (port 1701) , which is not present in Cisco VPN Client connections.

Is this correct or do you see other solutions ? In this case i would very appreciate any suggestion !

Thanks

0 Helpful
Customers Also Viewed These Support Documents