ASA 7.X vpn-filter (group-policy)

Unanswered Question
Feb 12th, 2007

What direction are the ACLs supposed to work for the vpn-filter command in a group-policy? We intended the use of this to filter traffic for this particular group to the inside subnet as well as VLANs routed through the inside/core switch. However it seemed we could not restrict access to the inside subnet unless we did a deny any any.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 02/12/2007 - 06:13

I would highly recommend against the use of vpn-filter at this time. I attempted it on several versions of 7.2.1 and 7.2.2, even an engineering release given by tac which was supposed to work. I was able to get it to function, but at random times, the asa would begin to block all traffic on the tunnels.

I ended up doing away with "sysopt connection permit-ipsec" and using my regular interface acls for ipsec traffic filtering.

The direction of the acl is a little tricky. After much testing, I was able to determine that acl is "in outside interface". But the tricky part is it is not stateful! If you allow the traffic out from the inside, you must specifically allow the return traffic back in. It's kind of like writing an acl in a switch.

You should be able to restrict traffic from outside, make sure you apply the filter to group policy and then tear down the tunnel. If you dont tear it down and bring it back up, the changes won't be in effect.


This Discussion