Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN.
This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies access-list.
Examples
Your previous access-list entry for your group-policy may of look liked this :
access-list ACL_Filter extended permit ip object-group Local-LAN object-group Remote-LAN
Below is an example of the config that you would need to add in order to get traffic working which is being affected by this bug,
object-group service Ports service-object icmp echo service-object icmp echo-reply service-object tcp range 4060 6700 service-object udp range 4060 6700 access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN no access-list ACL_Filter extended permit ip object-group Local-LAN object-group Remote-LAN
Below is an example of the complete config. (Please note this only includes the complete config for the group-policy and the relevant tunnel group and not the vpn configuration) :
object-group service Ports service-object icmp echo service-object icmp echo-reply service-object tcp range 4060 6700 service-object udp range 4060 6700
access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
access-list ACL_Filter extended permit ip object-group Local-LAN2 object-group Remote-LAN2
access-list ACL_Filter extended deny ip any any
group-policy Example_Policy internal
group-policy Example_Policy attributes
vpn-filter value ACL_Filter
default-group-policy VPN_Filter
tunnel-group [Peer IP] general-attributes
default-group-policy VPN_Filter
Please Note : If this does not resolve your issue please refer to the Cisco Bug Tracker. This is just one of a number of bugs included within the vpn filter feature.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial