cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
4
Helpful
8
Replies

ASA 5520 v 7.2 - Filter VPN Traffic

networkingib
Level 1
Level 1

Hi all,

I have an ASA with several LAN-to-LAN VPNs and I have enabled "sysopt connection permit-vpn" but I would like to filter the incoming traffic in one VPN to deny some ports and allow the rest.

The problems is that how I have other VPNs and I have enabled "sysopt connection permit-vpn" if I disable it I will lose conectivity for the rest of VPNs.

Is there any way to filter only the traffic that arrive through a specific LAN-to-LAN VPN?

Regards, Fernando.

1 Accepted Solution
8 Replies 8

Hi acomiskey,

Thanks for your quick response. But I think that "vpn-filter" command is only available for remote VPN users and not for LAN-to-LAN.

Could you confirm it?

Regards, Fernando.

No, you can use it for L2L tunnels as well.

Hi acomiskey,

I will try and will let you know.

What about my other post?

Regards, Fernando.

Hi acomiskey,

On the other hand, Could I filter it on the VPN acl?

In example:

access-list vpn_acl extended deny tcp 192.168.0.0 255.255.255.0 eq 80 192.168.1.0 255.255.255.0

access-list vpn_acl extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto map vpn_map 10 match address vpn_acl

Could I use a deny entry in the match acl?

Regards, Fernando.

Hi acomiskey,

I have tried it and I can confirm that it works :-).

Thank you very much.

Regards, Fernando.

I didn't appreciate that vpn-filter could be used for L2L VPNs. How do you attach the vpn-filter to the L2L tunnel, do you assign it to a group policy and then attach this to the L2L tunnel-group?

e.g.

group-policy Filtered_L2L_GP attributes

vpn-filter value 10

vpn-tunnel-protocol IPSec

!

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy Filtered_L2L_GP

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key *

Does the ACL need to permit the traffic in both directions, or is just outbound into the tunnel from the ASA?

If the requirement is for the VPN to be firewalled to, then is the only method still the removal of the "no sysopt connection permit-vpn" command and the addition of ACEs in the interface ACLs for the protected traffic?

"do you assign it to a group policy and then attach this to the L2L tunnel-group?"

-Yes.

"Does the ACL need to permit the traffic in both directions, or is just outbound into the tunnel from the ASA?"

-It depends wheter or not you have an acl applied into your inside interface. If not, then you need it applied into your outside interface, not outbound from the asa.

"If the requirement is for the VPN to be firewalled to, then is the only method still the removal of the "no sysopt connection permit-vpn" command and the addition of ACEs in the interface ACLs for the protected traffic?"

-Yes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: