I am setting up a VPN filter where I only want to allow DB2 traffic (port 50001) and ICMP traffic into our network from the remote end. I was told to create a VPN ACL as well as a VPN filter ACL. The tunnel seems to be coming up as I can see the remote IP when I do a "show
crypto isakmp sa" I cannot ping the remote servers, (126.96.36.199 and 188.8.131.52). I have attached my Pix 525 configuration. Thanks.
I myself have had no luck with the vpn-filter command. This was in an ASA though. I went through a few releases of 7.2.1, 7.2.2 and a tac supplied engineering release which did not work. All traffic eventually gets denied on the tunnel at random intervals.
I would start out without a vpn-filter. Make sure the connectivity is there. Then add the vpn-filter. To apply the filter I always had to tear the tunnel down and bring it back up before filter would take effect.
Is the DB2 traffic a source port of 50001? Thats the way you have it written.
The permit icmp statements look fine.
Do you have "sysopt connection permit-ipsec". You need that to use vpn-filter, otherwise the traffic will be blocked by your interface acls.
You could always remove "sysopt conneciton pemrit-ipsec" and write your acl entries in your outside interface access list instead of vpn-filter. You would then also have to explicitly permit ipsec ports (esp, udp 500, udp 4500 etc.) from remote peer.
Let me know how this goes, I am very interested if this works on pix.
One other thing, if you decide to try the vpn-filter, do not look at it as a regular interface acl. From my experience it is applied "into outside interface" but it is not stateful. Therefore if you want to initiate traffic from inside to outside, you have to explicitly allow the return traffic in the acl. Great huh?
Yes. Port 50001 is for DB2. I actually am able to ping through the tunnel to the remote servers now. I changed the existing ACL. I was told initially to use deny instead of permit for the traffic you want to allow. This did not seem to make sense so I changed the ACL to allow the ports I specified and deny everything else. I am waiting on the database techs to verify they can access the remote server over the specified port. This is my first time setting it up. We do have the sysopt connection permit ipsec command. This Pix terminates about 10 other site to site VPNs. This is the first one with a filter.
Yes. The DB server is on the remote end. I was told by the remote techs that this was the port we would be using. At this point, it does not seem like the filter is working properly as the remote end can ping thru the tunnel which we are trying to block their ability to initiate communication from their end. All communication will be initiated from our end. I have heard that when making changes that at times you have to remove the tunnel configuration and then put it back in.
Ok. Thanks. I did not realize that. I am still testing the VPN filter. Currently, it is not applied. I can get the tunnel to work no problem but when I apply the filter, it does not work. I have looked for documentation on VPN filters and there is not a whole lot out there. Thanks again for responding
No, there is almost zero documentation on this, and what there is is not clear at all. There is more mention of it on the cisco bug site than anywhere else, haha. Like I said before, I gave up on it and resorted to using my interface acls for this.
I think that when you apply the filter, you need to allow esp in your vpn-filter acl between your two peers. That is probably why it does not work with the filter in place.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :