10-31-2009 02:20 PM
I've been using this doc to configure filtering rules between two sites.
For the life of me, I cannot get the rules to 'stick'. Once I have built the ACL, then the group policy, and then applied it to the tunnel-group attributes, it should just work ... no? See the configuration of my ASA5505 attached. This is the destination - I want to limit source traffic. What am I doing wrong? After doing all of this, I've tested it several times and traffic that is not being implicitly allowed, is still getting through.
Solved! Go to Solution.
11-01-2009 10:25 AM
I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!
10-31-2009 02:36 PM
As a follow up to my own post, I found that reloading my ASA fixed this issue. I have to assume that the tunnel must be brought down and then up again to effectively apply the filter? That seems odd... and certainly unpractical in many situations. I tried the same configuration on another ASA site to site I manage and it did not work. I'm hesitant to reload it however until I confirm my suspicions.
11-01-2009 10:25 AM
I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!
10-31-2009 03:51 PM
Yes, you must restart the tunnel for any new VPN filter rules to take effect. If you understand the IKE negotiation and how the ASA builds the IKE Phase 1 and Phase 2 SA's, you'll understand why the tunnel must be restarted.
I did not see the 'access-group' commands in your configuration. Which access-list is used to filter inbound, non-VPN traffic?
10-31-2009 06:05 PM
The acl was 101. Applying it to the tunnel group is done through group policy ... not the access-group command. At least that is the way I've understood it to be done.
I've resolved this issue by using the
clear crypto isakmp sa
command then bringing the tunnel back up with a ping.
thanks for the response.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: