VPN Filtering on a Site to Site

Answered Question
Oct 31st, 2009

I've been using this doc to configure filtering rules between two sites.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

For the life of me, I cannot get the rules to 'stick'. Once I have built the ACL, then the group policy, and then applied it to the tunnel-group attributes, it should just work ... no? See the configuration of my ASA5505 attached. This is the destination - I want to limit source traffic. What am I doing wrong? After doing all of this, I've tested it several times and traffic that is not being implicitly allowed, is still getting through.

Attachment: 
I have this problem too.
0 votes
Correct Answer by timothybward about 7 years 1 month ago

I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Christopher Bell Sat, 10/31/2009 - 14:36

As a follow up to my own post, I found that reloading my ASA fixed this issue. I have to assume that the tunnel must be brought down and then up again to effectively apply the filter? That seems odd... and certainly unpractical in many situations. I tried the same configuration on another ASA site to site I manage and it did not work. I'm hesitant to reload it however until I confirm my suspicions.

Correct Answer
timothybward Sun, 11/01/2009 - 10:25

I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!

Patrick0711 Sat, 10/31/2009 - 15:51

Yes, you must restart the tunnel for any new VPN filter rules to take effect. If you understand the IKE negotiation and how the ASA builds the IKE Phase 1 and Phase 2 SA's, you'll understand why the tunnel must be restarted.

I did not see the 'access-group' commands in your configuration. Which access-list is used to filter inbound, non-VPN traffic?

Christopher Bell Sat, 10/31/2009 - 18:05

The acl was 101. Applying it to the tunnel group is done through group policy ... not the access-group command. At least that is the way I've understood it to be done.

I've resolved this issue by using the

clear crypto isakmp sa

command then bringing the tunnel back up with a ping.

thanks for the response.

Actions

This Discussion