12-17-2002 01:43 AM - edited 03-09-2019 01:25 AM
Hi,
I seem to be having a strange problem with using CPP to push a filter to a VPN client.
I am using a 3015 (3.5.5) & the S/W client (3.5.1) using the Cisco integrated firewall. My goal is to push a filter which will allow the user to access the corporate IP Networks over a tunnel and ONLY http to the Internet. I have split tunneling set up & using the Default VPN Client filter works as expected - the user can get to the corporate IP networks as defined in the network list & can ping, telnet, ftp everything on the Internet.
When I define a filter which only allows HTTP outbound (using the two OUTBOUND provided filters) & set it to push to the client. The client connects ok - they can only use HTTP to the internet (ping, telnet etc does not work), however only one of the corporate IP subnets can be reached over the tunnel.
Can anyone help?
- John.
12-17-2002 07:50 AM
Hi John,
Using CPP, are you pushing multiple subnets in the ST list? If you are, when you try to access the subnets other than the one which works fine, do you see a yellow key next to those subnets in the client?
If you do, then client must be encrypting the traffic, and there is something going on the concentrator side
You would probably need to open a TAC case to troubleshoot it in detail
Jazib
12-18-2002 01:08 AM
Hi Jazib,
I have 6 subnets in the ST list, the subnet I can access has a key against it. If I ping another device in one of the other subnets the key does not appear.
Using the default VPN filter when I ping a device a key appears & the traffic works to that subnet. It does appear like my HTTP filter is blocking something in the IPSEC session establishment (although I can't see why it would).
- John.
12-18-2002 01:54 PM
Hi John,
it seems like your filters might be behaving strangely. The CPP rules don't get applied for the tunneled traffic. There was a bug filed where CPP rules were getting applied in some cases
CSCdx01678
You can also emable client log viewer and see if the traffic destined to the tunnel is getting blocked
Jazib
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: