{"id":389,"date":"2010-03-16T15:22:20","date_gmt":"2010-03-16T15:22:20","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2010\/03\/16\/asa-l2l-vpn-is-not-passing-traffic-when-a-vpn-filter-is-applied\/"},"modified":"2023-02-24T13:07:28","modified_gmt":"2023-02-24T13:07:28","slug":"asa-l2l-vpn-is-not-passing-traffic-when-a-vpn-filter-is-applied","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/asa-l2l-vpn-is-not-passing-traffic-when-a-vpn-filter-is-applied.html","title":{"rendered":"ASA L2L VPN is not Passing Traffic when VPN Filter is Applied"},"content":{"rendered":"
Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN.<\/p>\n
This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies access-list.<\/p>\n
Examples <\/strong><\/p>\n Your previous access-list entry for your group-policy may of look liked this :<\/p>\n Below is an example of the config that you would need to add in order to get traffic working which is being affected by this bug,<\/p>\n Below is an example of the complete config. (Please note this only includes the complete config for the group-policy and the relevant tunnel group and not the vpn configuration) :<\/p>\n access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN group-policy Example_Policy internal tunnel-group [Peer IP] general-attributes Please Note : If this does not resolve your issue please refer to the Cisco Bug Tracker. This is just one of a number of bugs included within the vpn filter feature. <\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN. This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\naccess-list ACL_Filter extended permit ip object-group Local-LAN object-group Remote-LAN<\/pre>\n
object-group service Ports\r\n\u00a0service-object icmp echo\r\n\u00a0service-object icmp echo-reply\r\n\u00a0service-object tcp range 4060 6700\r\n\u00a0service-object udp range 4060 6700\r\n\u00a0access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN\r\n\u00a0no access-list ACL_Filter extended permit ip\u00a0 object-group Local-LAN object-group Remote-LAN<\/pre>\n
object-group service Ports \r\n\u00a0service-object icmp echo\r\n\u00a0service-object icmp echo-reply\r\n\u00a0service-object tcp range 4060 6700\r\n\u00a0service-object udp range 4060 6700<\/pre>\n
\naccess-list ACL_Filter extended permit ip\u00a0 object-group Local-LAN2 object-group Remote-LAN2
\naccess-list ACL_Filter extended deny ip any any<\/p>\n
\ngroup-policy Example_Policy attributes
\nvpn-filter value ACL_Filter
\ndefault-group-policy VPN_Filter<\/p>\n
\ndefault-group-policy VPN_Filter<\/p>\n