VPN 3000 and Group filters with L2TP/IPSec client connections
We want to apply filters at group level for W2K clients.
The clients use the standard L2TP/IPsec connections and use the OU field inside the certificate in order to bind the group at the VPN3015.
The problem is that the group filter is able only to intercept L2TP packets (port 1701), so that it's not possible to restrict the access at application level (i.e. TCP port 23 for telnet). I suppose that the concentrator is not able to inspect the data inside the L2TP packet.
Is this correct or are there other ways to implement this, beside applying filters at interface level ?
Can anyone help me ?? Thanks in advance for any advice !
Re: VPN 3000 and Group filters with L2TP/IPSec client connection
The group filter actually is happening after the packets been decrpted.
So there is no necessary to look into the L2TP or IPSEC packets to filtering the traffic.
So you still can filter the application traffic as your wish. Such as telnet, FTP, SMTP, as far as I create correct users rules and binding thoese rules into user filter. Then you can bind the filter into the group level.
Here is a good URL for setting up group filters: (No need for Radius Server, local filter will do as well)
As you can see, the attempts to access the SMTP port of an internal Host is interpreted by the VPN3000 only as an L2TP packet.
The same happens if i try to open other application.
If i try the same connection by means of a Cisco VPN Client, the group filter works correctly and is able to capture the SMTP Port (25).
So i have the impression that the group filter applied to L2TP/IPSec removes the IPSec/ESP Header corrcetly but is not able to remove the inner UDP Header of the L2TP packet (port 1701) , which is not present in Cisco VPN Client connections.
Is this correct or do you see other solutions ? In this case i would very appreciate any suggestion !
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...