Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 v 7.2 - Filter VPN Traffic

Hi all,

I have an ASA with several LAN-to-LAN VPNs and I have enabled "sysopt connection permit-vpn" but I would like to filter the incoming traffic in one VPN to deny some ports and allow the rest.

The problems is that how I have other VPNs and I have enabled "sysopt connection permit-vpn" if I disable it I will lose conectivity for the rest of VPNs.

Is there any way to filter only the traffic that arrive through a specific LAN-to-LAN VPN?

Regards, Fernando.

1 ACCEPTED SOLUTION

Accepted Solutions
Green
8 REPLIES
Green
Community Member

Re: ASA 5520 v 7.2 - Filter VPN Traffic

Hi acomiskey,

Thanks for your quick response. But I think that "vpn-filter" command is only available for remote VPN users and not for LAN-to-LAN.

Could you confirm it?

Regards, Fernando.

Green

Re: ASA 5520 v 7.2 - Filter VPN Traffic

No, you can use it for L2L tunnels as well.

Community Member

Re: ASA 5520 v 7.2 - Filter VPN Traffic

Hi acomiskey,

I will try and will let you know.

What about my other post?

Regards, Fernando.

Community Member

Re: ASA 5520 v 7.2 - Filter VPN Traffic

Hi acomiskey,

On the other hand, Could I filter it on the VPN acl?

In example:

access-list vpn_acl extended deny tcp 192.168.0.0 255.255.255.0 eq 80 192.168.1.0 255.255.255.0

access-list vpn_acl extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto map vpn_map 10 match address vpn_acl

Could I use a deny entry in the match acl?

Regards, Fernando.

Community Member

Re: ASA 5520 v 7.2 - Filter VPN Traffic

Hi acomiskey,

I have tried it and I can confirm that it works :-).

Thank you very much.

Regards, Fernando.

Silver

Re: ASA 5520 v 7.2 - Filter VPN Traffic

I didn't appreciate that vpn-filter could be used for L2L VPNs. How do you attach the vpn-filter to the L2L tunnel, do you assign it to a group policy and then attach this to the L2L tunnel-group?

e.g.

group-policy Filtered_L2L_GP attributes

vpn-filter value 10

vpn-tunnel-protocol IPSec

!

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy Filtered_L2L_GP

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key *

Does the ACL need to permit the traffic in both directions, or is just outbound into the tunnel from the ASA?

If the requirement is for the VPN to be firewalled to, then is the only method still the removal of the "no sysopt connection permit-vpn" command and the addition of ACEs in the interface ACLs for the protected traffic?

Green

Re: ASA 5520 v 7.2 - Filter VPN Traffic

"do you assign it to a group policy and then attach this to the L2L tunnel-group?"

-Yes.

"Does the ACL need to permit the traffic in both directions, or is just outbound into the tunnel from the ASA?"

-It depends wheter or not you have an acl applied into your inside interface. If not, then you need it applied into your outside interface, not outbound from the asa.

"If the requirement is for the VPN to be firewalled to, then is the only method still the removal of the "no sysopt connection permit-vpn" command and the addition of ACEs in the interface ACLs for the protected traffic?"

-Yes.

379
Views
4
Helpful
8
Replies
CreatePlease to create content