Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
3
Replies

Problem using CPP filters

john.pierson
Level 1
Level 1

‎12-17-2002 01:43 AM - edited ‎03-09-2019 01:25 AM

Hi,

I seem to be having a strange problem with using CPP to push a filter to a VPN client.

I am using a 3015 (3.5.5) & the S/W client (3.5.1) using the Cisco integrated firewall. My goal is to push a filter which will allow the user to access the corporate IP Networks over a tunnel and ONLY http to the Internet. I have split tunneling set up & using the Default VPN Client filter works as expected - the user can get to the corporate IP networks as defined in the network list & can ping, telnet, ftp everything on the Internet.

When I define a filter which only allows HTTP outbound (using the two OUTBOUND provided filters) & set it to push to the client. The client connects ok - they can only use HTTP to the internet (ping, telnet etc does not work), however only one of the corporate IP subnets can be reached over the tunnel.

Can anyone help?

- John.

Labels:
0 Helpful
3 Replies 3

jfrahim
Level 5
Level 5

‎12-17-2002 07:50 AM

Hi John,

Using CPP, are you pushing multiple subnets in the ST list? If you are, when you try to access the subnets other than the one which works fine, do you see a yellow key next to those subnets in the client?

If you do, then client must be encrypting the traffic, and there is something going on the concentrator side

You would probably need to open a TAC case to troubleshoot it in detail

Jazib

0 Helpful

john.pierson
Level 1
Level 1
In response to jfrahim

‎12-18-2002 01:08 AM

Hi Jazib,

I have 6 subnets in the ST list, the subnet I can access has a key against it. If I ping another device in one of the other subnets the key does not appear.

Using the default VPN filter when I ping a device a key appears & the traffic works to that subnet. It does appear like my HTTP filter is blocking something in the IPSEC session establishment (although I can't see why it would).

- John.

0 Helpful

jfrahim
Level 5
Level 5
In response to john.pierson

‎12-18-2002 01:54 PM

Hi John,

it seems like your filters might be behaving strangely. The CPP rules don't get applied for the tunneled traffic. There was a bug filed where CPP rules were getting applied in some cases

CSCdx01678

You can also emable client log viewer and see if the traffic destined to the tunnel is getting blocked

Jazib

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents