cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1472
Views
0
Helpful
4
Replies

VPN Filtering on a Site to Site

I've been using this doc to configure filtering rules between two sites.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

For the life of me, I cannot get the rules to 'stick'. Once I have built the ACL, then the group policy, and then applied it to the tunnel-group attributes, it should just work ... no? See the configuration of my ASA5505 attached. This is the destination - I want to limit source traffic. What am I doing wrong? After doing all of this, I've tested it several times and traffic that is not being implicitly allowed, is still getting through.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1 Accepted Solution

Accepted Solutions

I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!

View solution in original post

4 Replies 4

As a follow up to my own post, I found that reloading my ASA fixed this issue. I have to assume that the tunnel must be brought down and then up again to effectively apply the filter? That seems odd... and certainly unpractical in many situations. I tried the same configuration on another ASA site to site I manage and it did not work. I'm hesitant to reload it however until I confirm my suspicions.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!

Patrick0711
Level 3
Level 3

Yes, you must restart the tunnel for any new VPN filter rules to take effect. If you understand the IKE negotiation and how the ASA builds the IKE Phase 1 and Phase 2 SA's, you'll understand why the tunnel must be restarted.

I did not see the 'access-group' commands in your configuration. Which access-list is used to filter inbound, non-VPN traffic?

The acl was 101. Applying it to the tunnel group is done through group policy ... not the access-group command. At least that is the way I've understood it to be done.

I've resolved this issue by using the

clear crypto isakmp sa

command then bringing the tunnel back up with a ping.

thanks for the response.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: