Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VPN Filtering on a Site to Site

I've been using this doc to configure filtering rules between two sites.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

For the life of me, I cannot get the rules to 'stick'. Once I have built the ACL, then the group policy, and then applied it to the tunnel-group attributes, it should just work ... no? See the configuration of my ASA5505 attached. This is the destination - I want to limit source traffic. What am I doing wrong? After doing all of this, I've tested it several times and traffic that is not being implicitly allowed, is still getting through.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: VPN Filtering on a Site to Site

I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!

4 REPLIES

Re: VPN Filtering on a Site to Site

As a follow up to my own post, I found that reloading my ASA fixed this issue. I have to assume that the tunnel must be brought down and then up again to effectively apply the filter? That seems odd... and certainly unpractical in many situations. I tried the same configuration on another ASA site to site I manage and it did not work. I'm hesitant to reload it however until I confirm my suspicions.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
New Member

Re: VPN Filtering on a Site to Site

I went through this exact that 2 weeks ago. Just bounce the tunnel and your rules will go into effect. What I don't understand is why in any other case when you change an ACL it's immediate and in this case the tunnel needs to be re-init'd. It's weird. Good luck to you!

Bronze

Re: VPN Filtering on a Site to Site

Yes, you must restart the tunnel for any new VPN filter rules to take effect. If you understand the IKE negotiation and how the ASA builds the IKE Phase 1 and Phase 2 SA's, you'll understand why the tunnel must be restarted.

I did not see the 'access-group' commands in your configuration. Which access-list is used to filter inbound, non-VPN traffic?

Re: VPN Filtering on a Site to Site

The acl was 101. Applying it to the tunnel group is done through group policy ... not the access-group command. At least that is the way I've understood it to be done.

I've resolved this issue by using the

clear crypto isakmp sa

command then bringing the tunnel back up with a ping.

thanks for the response.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
134
Views
0
Helpful
4
Replies