Cisco ASA VPN filters are relatively simple to setup. However there are a few things you should know before you start configuring them.
- Since version 7.0(1) sysopt connection permit-ipsec is enabled by default. Meaning VPN traffic bypasses interface access-lists (Version 7.1(1)+ Changes this command to sysopt connection permit-vpn)
- VPN filters permits or denies traffic both BEFORE it enters the tunnel (pre-encrypted) and AFTER it exits the tunnel (post encrypted)
- Since you can only have one VPN filter per tunnel the VPN filter is applied to traffic bi-directionally in and out of the interface.
- As such, VPN filters DOES NOT follow standard Cisco ASA ACLs rules. The Source and destination fields do not apply. Instead you should treat the remote end as the SOURCE and local end as the DESTINATION.
- There is an implicit deny rule at the end of the ACL.
- ACLs are stateful.
- Changes to the VPN filter using DENY statements take affect immediately.
- Changes to the VPN filter using the PERMIT statements requires the tunnel to be restarted.
Example
If you want to allow telnet from your remote end to your local end here’s the ACL:
access-list VPNFILTER extended permit tcp 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0 eq telnet
#Note here that this entry also means the local network 10.2.0.0/24 can initiate traffic with a source port of 23 to all ports in the remote end network 10.1.0.0/24
If you want to allow telnet from your local end to your remote end here’s the ACL
access-list VPNFILTER extended permit tcp 10.1.0.0 255.255.255.0 eq telnet 10.2.0.0 255.255.255.0
#Note here that you need to place the port near the source (remote) network
How to apply the ACL in CLI
group-policy TUNNEL_POLICY internal group-policy TUNNEL_POLICY attributes vpn-filter value VPNFILTER
tunnel-group 10.20.20.1 general-attributes default-group-policy TUNNEL_POLICY
