Site to Site VPN filter configuration

Unanswered Question
Feb 12th, 2007

I am setting up a VPN filter where I only want to allow DB2 traffic (port 50001) and ICMP traffic into our network from the remote end. I was told to create a VPN ACL as well as a VPN filter ACL. The tunnel seems to be coming up as I can see the remote IP when I do a "show

crypto isakmp sa" I cannot ping the remote servers, ( and I have attached my Pix 525 configuration. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 02/12/2007 - 13:29

I myself have had no luck with the vpn-filter command. This was in an ASA though. I went through a few releases of 7.2.1, 7.2.2 and a tac supplied engineering release which did not work. All traffic eventually gets denied on the tunnel at random intervals.

I would start out without a vpn-filter. Make sure the connectivity is there. Then add the vpn-filter. To apply the filter I always had to tear the tunnel down and bring it back up before filter would take effect.

Is the DB2 traffic a source port of 50001? Thats the way you have it written.

The permit icmp statements look fine.

Do you have "sysopt connection permit-ipsec". You need that to use vpn-filter, otherwise the traffic will be blocked by your interface acls.

You could always remove "sysopt conneciton pemrit-ipsec" and write your acl entries in your outside interface access list instead of vpn-filter. You would then also have to explicitly permit ipsec ports (esp, udp 500, udp 4500 etc.) from remote peer.

Let me know how this goes, I am very interested if this works on pix.

One other thing, if you decide to try the vpn-filter, do not look at it as a regular interface acl. From my experience it is applied "into outside interface" but it is not stateful. Therefore if you want to initiate traffic from inside to outside, you have to explicitly allow the return traffic in the acl. Great huh?

mark.blanchfield Mon, 02/12/2007 - 13:44

Yes. Port 50001 is for DB2. I actually am able to ping through the tunnel to the remote servers now. I changed the existing ACL. I was told initially to use deny instead of permit for the traffic you want to allow. This did not seem to make sense so I changed the ACL to allow the ports I specified and deny everything else. I am waiting on the database techs to verify they can access the remote server over the specified port. This is my first time setting it up. We do have the sysopt connection permit ipsec command. This Pix terminates about 10 other site to site VPNs. This is the first one with a filter.

acomiskey Mon, 02/12/2007 - 13:49

How did you change the acl from what you have posted above?

So the db server is on the remote end? From your initial post it sounded like database server was at local end. How did you know you had to allow the return source port 50001 traffic?

mark.blanchfield Wed, 02/14/2007 - 06:10

Yes. The DB server is on the remote end. I was told by the remote techs that this was the port we would be using. At this point, it does not seem like the filter is working properly as the remote end can ping thru the tunnel which we are trying to block their ability to initiate communication from their end. All communication will be initiated from our end. I have heard that when making changes that at times you have to remove the tunnel configuration and then put it back in.

acomiskey Thu, 02/15/2007 - 06:12

They are able to ping from remote end because of

access-list vpn-filter extended permit icmp host

access-list vpn-filter extended permit icmp host

access-list vpn-filter extended permit icmp host

access-list vpn-filter extended permit icmp host

If you add "echo-reply" to the end of those statements, they would not be able to ping local end, but you could ping remote end.

mark.blanchfield Thu, 02/15/2007 - 07:00

Ok. Thanks. I did not realize that. I am still testing the VPN filter. Currently, it is not applied. I can get the tunnel to work no problem but when I apply the filter, it does not work. I have looked for documentation on VPN filters and there is not a whole lot out there. Thanks again for responding

acomiskey Thu, 02/15/2007 - 07:21

No, there is almost zero documentation on this, and what there is is not clear at all. There is more mention of it on the cisco bug site than anywhere else, haha. Like I said before, I gave up on it and resorted to using my interface acls for this.

I think that when you apply the filter, you need to allow esp in your vpn-filter acl between your two peers. That is probably why it does not work with the filter in place.

mark.blanchfield Tue, 02/20/2007 - 13:36

Thanks. I see how echo-reply needs to be added to allow thru only the replies to the pings generated from this end and block a ping initiated from the remote end. Thanks again.


This Discussion