Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem using CPP filters

Hi,

I seem to be having a strange problem with using CPP to push a filter to a VPN client.

I am using a 3015 (3.5.5) & the S/W client (3.5.1) using the Cisco integrated firewall. My goal is to push a filter which will allow the user to access the corporate IP Networks over a tunnel and ONLY http to the Internet. I have split tunneling set up & using the Default VPN Client filter works as expected - the user can get to the corporate IP networks as defined in the network list & can ping, telnet, ftp everything on the Internet.

When I define a filter which only allows HTTP outbound (using the two OUTBOUND provided filters) & set it to push to the client. The client connects ok - they can only use HTTP to the internet (ping, telnet etc does not work), however only one of the corporate IP subnets can be reached over the tunnel.

Can anyone help?

- John.

3 REPLIES
Bronze

Re: Problem using CPP filters

Hi John,

Using CPP, are you pushing multiple subnets in the ST list? If you are, when you try to access the subnets other than the one which works fine, do you see a yellow key next to those subnets in the client?

If you do, then client must be encrypting the traffic, and there is something going on the concentrator side

You would probably need to open a TAC case to troubleshoot it in detail

Jazib

New Member

Re: Problem using CPP filters

Hi Jazib,

I have 6 subnets in the ST list, the subnet I can access has a key against it. If I ping another device in one of the other subnets the key does not appear.

Using the default VPN filter when I ping a device a key appears & the traffic works to that subnet. It does appear like my HTTP filter is blocking something in the IPSEC session establishment (although I can't see why it would).

- John.

Bronze

Re: Problem using CPP filters

Hi John,

it seems like your filters might be behaving strangely. The CPP rules don't get applied for the tunneled traffic. There was a bug filed where CPP rules were getting applied in some cases

CSCdx01678

You can also emable client log viewer and see if the traffic destined to the tunnel is getting blocked

Jazib

158
Views
0
Helpful
3
Replies