Howto filter traffic between two ezvpn clients

Unanswered Question
Apr 22nd, 2010
User Badges:

Hi Guys

Could anyone help me with the following issue?

I want to filter traffic between two ezvpn (ios) clients. The hub is an ASA running 8.04 code.

client1 is allowed to access the local networks of client2, but client2 is not allowed to access client1 local subnet. both clients are allowed to access the inside network of the asa

Both client networks are known to the ASA by means of RRI.

I read that in vpn-filter acl the source part is used for the remote network and the destination part for the local network.

I was thinking of using the vpn-filter feature and link it to the user1 and user2 account. Something like this:

username user1 password pwd1
username user1 attributes
vpn-filer acl1
username user2 password pwd1
username user2 attributes
vpn-filer acl2
access-list acl1 ip permit any any
access-list acl2 ip permit subnet1 mask1 inside_net inside_mask

Unfortuantly this is not working....why...? any ideas how to fix this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 04/22/2010 - 11:19
User Badges:
  • Green, 3000 points or more


Are the EzVPN clients in NEW or Client-mode?

As for now, both clients can access each other's LAN correct?

Are you getting hitcounts on the acl1 and acl2 when sending traffic?


HHagendoorn Thu, 04/22/2010 - 23:57
User Badges:

Hi Federico,

Thx for your reply, both clients are in NEM mode.

Both clients can reach the inside network. But client1 can't reach the inside network of client2 (which it should)

When I'm sourcing a ping from client1 inside netwerk to client2 inside network , the acl1 counter is increasing, acl2 counter not.

Hope this helps...?



Federico Coto F... Fri, 04/23/2010 - 07:17
User Badges:
  • Green, 3000 points or more

If the IOS clients are in NEM mode that means they keep their IP addresses.
So, client1 LAN should reach client2 LAN through the ASA correct?

In order to allow client1 to reach client2 through the ASA, several things need to happen:
1. The ASA should have the same security permit intra-interface command
2. The client1 LAN should be encrypted in an ACL that goes to client2 tunnel (and vice versa).
3. The NAT and route rules should be properly configured.

Is it possible for you to attach the configs?


HHagendoorn Mon, 04/26/2010 - 23:43
User Badges:

Hi Federico,

I agree both clients should be able to reach each other inside network. In fact this is indeed the case if I don't use any filter acl at all.


1. Yes permit intra-interface is in the cfg

2. ??? this is ezvpn there is no crypto acl

3. I checked on NAT, client and ASA NAT (exempt) is working fine. Proof is the fact that things are working without any acl.

So I think it boils down to the definition and posibilties of defining a filter acl. The probleem is how do I define local and remote with regards to intra client traffic. To make things worse I read the acl is bidirectional......


This Discussion