Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3000 and Group filters with L2TP/IPSec client connections

We want to apply filters at group level for W2K clients.

The clients use the standard L2TP/IPsec connections and use the OU field inside the certificate in order to bind the group at the VPN3015.

The problem is that the group filter is able only to intercept L2TP packets (port 1701), so that it's not possible to restrict the access at application level (i.e. TCP port 23 for telnet). I suppose that the concentrator is not able to inspect the data inside the L2TP packet.

Is this correct or are there other ways to implement this, beside applying filters at interface level ?

Can anyone help me ?? Thanks in advance for any advice !

2 REPLIES
New Member

Re: VPN 3000 and Group filters with L2TP/IPSec client connection

Hi,

The group filter actually is happening after the packets been decrpted.

So there is no necessary to look into the L2TP or IPSEC packets to filtering the traffic.

So you still can filter the application traffic as your wish. Such as telnet, FTP, SMTP, as far as I create correct users rules and binding thoese rules into user filter. Then you can bind the filter into the group level.

Here is a good URL for setting up group filters: (No need for Radius Server, local filter will do as well)

http://www.cisco.com/warp/customer/471/filter.html

Best Regards,

New Member

Re: VPN 3000 and Group filters with L2TP/IPSec client connection

Hi,

Thank you for your feedback, but i have still some doubts.

I have attached a short extract of FILTERDBG in order to show what's happen at the group filter level (i've set up a forward and log for all packets).

49 07/26/2002 12:18:02.480 SEV=9 FILTERDBG/1 RPT=184

Permit In: intf 1011, filter 'Allow_only_SMTP', UDP, Src 151.24.25.133, Port 170

1, Dest 87.92.40.41, Port 1701

51 07/26/2002 12:18:02.710 SEV=9 FILTERDBG/1 RPT=185

Permit In: intf 1011, filter 'Allow_only_SMTP', UDP, Src 151.24.25.133, Port 170

1, Dest 87.92.40.41, Port 1701

As you can see, the attempts to access the SMTP port of an internal Host is interpreted by the VPN3000 only as an L2TP packet.

The same happens if i try to open other application.

If i try the same connection by means of a Cisco VPN Client, the group filter works correctly and is able to capture the SMTP Port (25).

So i have the impression that the group filter applied to L2TP/IPSec removes the IPSec/ESP Header corrcetly but is not able to remove the inner UDP Header of the L2TP packet (port 1701) , which is not present in Cisco VPN Client connections.

Is this correct or do you see other solutions ? In this case i would very appreciate any suggestion !

Thanks

107
Views
0
Helpful
2
Replies