Cisco Support Community
Community Member

unable to make vpn client filter on concentrator 3005 work

I am unable to push the client filter out to the vpn client from the 3005. Essentially I have a filter that allows all ip traffic which i want to push to the client. This would allow the client to establish an http session with an internal server. I have configured this filter for use by the user. The filter on the public interface is the default which does not allow for http traffic. Any tips?

Thanks, john

Cisco Employee

Re: unable to make vpn client filter on concentrator 3005 work

If you want to allow VPn clients full access to your internal network then don't even bother with a filter. Just apply no filter under the Group an the user will be able to get to everything. The reason the Public filter doesn't allow HTTP is because when the packet comes in from the client it is encrypted (an ESP packet), so all the Public filter has to allow in is the encrypted protocols (which it does by default).

Having said that, if you want to apply a filter to a user, then do one of the following:


Allow access to and block everything else:

To block access to everything but, create a rule that is Inbound/Forward, Source of Anything, Destination of Create another rule, it can be left at the defaults which is Inbound, Drop, Source of anything, Dest of anything. Create a filter with default action of forward and add both your new rules to it, making sure the rule that allows access to the host 10.1.12 is ABOVE the default rule that will drop everything else.

Block access to and allow everything else:

To allow access to everything except, create a rule that says Inbound, Drop, Source of anything and Destination of Add a filter who's default action is to forward, and add the rule to that filter.


- You can allow or block access to whole subnets simply by changing your address/mask combination to something like:


CreatePlease to create content