Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Vpn-filter ASA


I have a problem to get the vpn-filter to work in my ASA5520 ver 7.4 and it`s urgent. The traffic don`t

passtrough, and i get this message in the log.(106023: Deny tcp src Outside: dst

Inside: by access-group "Outside_access_in"). I have tested with vpn-client and easy-vpn,

same problem. I have the relevant configuration below. Does anyone have a configuration example that works?

access-list grupp1_easyvpn_splitTunnelAcl standard permit

access-list Outside_access_in extended permit icmp any any echo-reply

access-list Inside_nat0_outbound extended permit ip

access-list Inside_access_in extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list Outside_cryptomap_dyn_20 extended permit ip any

access-list Test_Filter_10 extended permit ip any any

ip local pool test_pool_1 mask

group-policy grupp1_easyvpn internal

group-policy grupp1_easyvpn attributes

vpn-filter value Test_Filter_10

split-tunnel-policy tunnelspecified

split-tunnel-network-list value grupp1_easyvpn_splitTunnelAcl


username xxx password xxxx encrypted privilege 0

username xxxx attributes

vpn-group-policy grupp1_easyvpn

no sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


Community Member

Re: Vpn-filter ASA

I have found the answer to the problem. You must have the sysopt command set to "sysopt connection permit-ipsec" NOT "no sysopt connection permit-ipsec" hope this will help somebody with the same problem. /Jonny

CreatePlease to create content