Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Group filters


I'm brand new to the VPN world. I have a VPN 3005 Concentrator setup. I do get a sucessfull connection and can access all our services of our network like I was at work. My next step was to limit access so a user could only connect to services via using Microsofts remote desktop and a Win2k Server running the admin Terminal Services. We don't have a fully intergrated Win2k AD yet before anyone asks.

Anyway I attempted to limit people to connect via Terminal servers by creating 2 rules one inbound and one outbound and then creating the filter. I have set the filter to drop and log traffic that doesn't find a match in the filter. However, the rules I wrote to allow traffic through TCP port 3389 do not work... I'm stuck.

My question is this, where is the Filter I create for a VPN group applied. Inside interface or outside interface? Does anybody have any experiance with this that they can share? Even a simple rule that only allows FTP will allow to figure out how this works so I can better understand how to create my own rules.

Thank you for your help.

Randy Moore

NOVA Chemicals

  • Other Security Subjects
Cisco Employee

Re: VPN Group filters

You can apply a filter directly to a group, this is much better than applying it to an interface, leave those alone.

To allow users to get to TCP/3389 on say,, do the following:

Create a rule (under Config - Policy Mgmt - Traffic Mgmt - Rules) that is Inbound/Forward, Source of Anything, Destination of, TCP/3389.

Create another rule, call it Drop All, it can be left at the defaults which is Inbound, Drop, Source of anything, Dest of anything.

Create a filter (under Config - Policy Mgmt - Traffic Mgmt - Filters) with default action of forward and add both your new rules to it, making sure the rule that allows access to the host is ABOVE the default rule that will drop everything else.

Modify the group and under the General tab, apply the filter here. Save and Apply changes.

If you want to allow further traffic, just add more Rules and then apply them to the Filter, just make sure the new rules are always placed ABOVE the Drop All rule, since they're read from top down.

New Member

Re: VPN Group filters

Thanks, this is what I was looking for.


This widget could not be displayed.