Hello all, very quick one for you:
I want to create a L2L tunnel that allows all traffic in one direction for management purposes, and just port 80 traffic back in the other direction.
I'm guessing this isn't possible with just the match access-lists (they need to match in the SA right?), so is creating a VPN filter the right way to go?
Any advice welcome.
Yes, for the LAN-to-LAN tunnel to be established, the crypto ACL match statement should be mirror image on both end.
Site A LAN: 10.1.1.0/24
Site B LAN: 10.2.2.0/24
Crypto ACL on Site A: access-list crypto-acl permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Crypto ACL on Site B: access-list crypto-acl permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
Then if you would like to restrict it, as Federico and Kevin said, you can use vpn-filter ACL.
Here is the sample configuration on vpn-filter for your reference:
Hope that helps.
You are right that is the way to go. Cisco recommends that the access list used to match the traffic must be from IP to IP and the vpn filters should be used on the specific tunnel groups. See link below.
The devices involved in the L2L tunnel are ASAs?
If so, you can use the vpn-filter command under the group-policy applied to the tunnel-group for the L2L.
The filter refers to an ACL where you specify the permitted traffic.