vpn-filter not working

nassar · ‎04-02-2009

Hi,

We have several EZVPN clients connecting to a ASA server. The remote hosts can access all devices behind the ASA. I have added filters to user profile and group polies but they dont work. Here is partial configuration from the ASA:

object-group network Blue

description Blue

network-object host 192.168.5.31

network-object host 192.168.5.32

access-list Blue-2 extended permit ip object-group Blue host 10.10.10.100

access-list Blue-2 extended deny ip any any

access-list Blue-2 extended deny icmp any any

username test password *

username test attributes

vpn-group-policy testpolicy

vpn-filter value Blue-2

password-storage enable

tunnel-group testprofile type remote-access

tunnel-group testprofile general-attributes

address-pool Pool1

default-group-policy testpolicy

tunnel-group testprofile ipsec-attributes

pre-shared-key *

Any help will be much appreciated.

Thanks

srue · ‎04-02-2009

have you verified users are getting assigned the correct group-policy and not the default one.

show vpn-sessiondb detail

nassar · ‎04-03-2009

Thanks for the reply.

I verified the group policy. It is correct.

The behaviour I am seeing is similar to the one in bug ID CSCse96559. In my case I am running the latest code.

http://supportwiki.cisco.com/ViewWiki/index.php/The_vpn-filter_command_does_not_restrict_access_on_a_PIX_Firewall/ASA_running_software_version_7.x_when_used_with_Cisco_IOS_12.x_EZVPN_clients