ASA L2L VPN is not Passing Traffic when VPN Filter is Applied

Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN.

This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies access-list.

Examples

Your previous access-list entry for your group-policy may of look liked this :

access-list ACL_Filter extended permit ip object-group Local-LAN object-group Remote-LAN

Below is an example of the config that you would need to add in order to get traffic working which is being affected by this bug,

object-group service Ports
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp range 4060 6700
 service-object udp range 4060 6700
 access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
 no access-list ACL_Filter extended permit ip  object-group Local-LAN object-group Remote-LAN

Below is an example of the complete config. (Please note this only includes the complete config for the group-policy and the relevant tunnel group and not the vpn configuration) :

object-group service Ports 
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp range 4060 6700
 service-object udp range 4060 6700

access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
access-list ACL_Filter extended permit ip  object-group Local-LAN2 object-group Remote-LAN2
access-list ACL_Filter extended deny ip any any

group-policy Example_Policy internal
group-policy Example_Policy attributes
vpn-filter value ACL_Filter
default-group-policy VPN_Filter

tunnel-group [Peer IP] general-attributes
default-group-policy VPN_Filter

Please Note : If this does not resolve your issue please refer to the Cisco Bug Tracker. This is just one of a number of bugs included within the vpn filter feature.

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial