Cisco ASA VPN filter tips and misc

Cisco ASA VPN filters are relatively simple to setup. However there are a few things you should know before you start configuring them.

  1. Since version 7.0(1) sysopt connection permit-ipsec is enabled by default. Meaning VPN traffic bypasses interface access-lists (Version 7.1(1)+ Changes this command to sysopt connection permit-vpn)
  2. VPN filters permits or denies traffic both BEFORE it enters the tunnel (pre-encrypted) and AFTER it exits the tunnel (post encrypted)
  3. Since you can only have one VPN filter per tunnel the VPN filter is applied to traffic bi-directionally in and out of the interface.
  4. As such, VPN filters DOES NOT follow standard Cisco ASA ACLs rules. The Source and destination fields do not apply. Instead you should treat the remote end as the SOURCE and local end as the DESTINATION.
  5. There is an implicit deny rule at the end of the ACL.
  6. ACLs are stateful.
  7. Changes to the VPN filter using DENY statements take affect immediately.
  8. Changes to the VPN filter using the PERMIT statements requires the tunnel to be restarted.

If you want to allow telnet from your remote end to your local end here’s the ACL:

access-list VPNFILTER extended permit tcp eq telnet

#Note here that this entry also means the local network can initiate traffic with a source port of 23 to all ports in the remote end network

If you want to allow telnet from your local end to your remote end here’s the ACL

access-list VPNFILTER extended permit tcp eq telnet

#Note here that you need to place the port near the source (remote) network

How to apply the ACL in CLI

group-policy TUNNEL_POLICY internal
group-policy TUNNEL_POLICY attributes
 vpn-filter value VPNFILTER
tunnel-group general-attributes
 default-group-policy TUNNEL_POLICY
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV