fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Cisco
  • ASA L2L VPN is not passing traffic when a VPN Filter is applied

ASA L2L VPN is not passing traffic when a VPN Filter is applied

Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN.

This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies access-list. 

Examples

Your previous access-list entry for your group-policy may of look liked this :

access-list ACL_Filter extended permit ip object-group Local-LAN object-group Remote-LAN

Below is an example of the config that you would need to add in order to get traffic working which is being affected by this bug,

object-group service Ports
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp range 4060 6700
 service-object udp range 4060 6700
 access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
 no access-list ACL_Filter extended permit ip  object-group Local-LAN object-group Remote-LAN

Below is an example of the complete config. (Please note this only includes the complete config for the group-policy and the relevant tunnel group and not the vpn configuration) :

object-group service Ports 
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp range 4060 6700
 service-object udp range 4060 6700

access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
access-list ACL_Filter extended permit ip  object-group Local-LAN2 object-group Remote-LAN2
access-list ACL_Filter extended deny ip any any

group-policy Example_Policy internal
group-policy Example_Policy attributes
  vpn-filter value ACL_Filter
      default-group-policy VPN_Filter

tunnel-group [Peer IP] general-attributes
  default-group-policy VPN_Filter

Please Note : If this does not resolve your issue please refer to the Cisco Bug Tracker. This is just one of a number of bugs included within the vpn filter feature.

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001