I seem to be having a strange problem with using CPP to push a filter to a VPN client.
I am using a 3015 (3.5.5) & the S/W client (3.5.1) using the Cisco integrated firewall. My goal is to push a filter which will allow the user to access the corporate IP Networks over a tunnel and ONLY http to the Internet. I have split tunneling set up & using the Default VPN Client filter works as expected - the user can get to the corporate IP networks as defined in the network list & can ping, telnet, ftp everything on the Internet.
When I define a filter which only allows HTTP outbound (using the two OUTBOUND provided filters) & set it to push to the client. The client connects ok - they can only use HTTP to the internet (ping, telnet etc does not work), however only one of the corporate IP subnets can be reached over the tunnel.
Using CPP, are you pushing multiple subnets in the ST list? If you are, when you try to access the subnets other than the one which works fine, do you see a yellow key next to those subnets in the client?
If you do, then client must be encrypting the traffic, and there is something going on the concentrator side
You would probably need to open a TAC case to troubleshoot it in detail
I have 6 subnets in the ST list, the subnet I can access has a key against it. If I ping another device in one of the other subnets the key does not appear.
Using the default VPN filter when I ping a device a key appears & the traffic works to that subnet. It does appear like my HTTP filter is blocking something in the IPSEC session establishment (although I can't see why it would).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...