Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Vpn-filter ASA

Hi!

I have a problem to get the vpn-filter to work in my ASA5520 ver 7.4 and it`s urgent. The traffic don`t

passtrough, and i get this message in the log.(106023: Deny tcp src Outside:10.10.10.1/1024 dst

Inside:192.0.0.20/23 by access-group "Outside_access_in"). I have tested with vpn-client and easy-vpn,

same problem. I have the relevant configuration below. Does anyone have a configuration example that works?

access-list grupp1_easyvpn_splitTunnelAcl standard permit 192.0.0.0 255.255.255.0

access-list Outside_access_in extended permit icmp any any echo-reply

access-list Inside_nat0_outbound extended permit ip 192.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list Inside_access_in extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0

access-list Test_Filter_10 extended permit ip any any

ip local pool test_pool_1 10.10.10.1-10.10.10.254 mask 255.255.255.0

group-policy grupp1_easyvpn internal

group-policy grupp1_easyvpn attributes

vpn-filter value Test_Filter_10

split-tunnel-policy tunnelspecified

split-tunnel-network-list value grupp1_easyvpn_splitTunnelAcl

webvpn

username xxx password xxxx encrypted privilege 0

username xxxx attributes

vpn-group-policy grupp1_easyvpn

no sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

/Regards

1 REPLY
Community Member

Re: Vpn-filter ASA

I have found the answer to the problem. You must have the sysopt command set to "sysopt connection permit-ipsec" NOT "no sysopt connection permit-ipsec" hope this will help somebody with the same problem. /Jonny

175
Views
5
Helpful
1
Replies
CreatePlease to create content