Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 7.X vpn-filter (group-policy)

What direction are the ACLs supposed to work for the vpn-filter command in a group-policy? We intended the use of this to filter traffic for this particular group to the inside subnet as well as VLANs routed through the inside/core switch. However it seemed we could not restrict access to the inside subnet unless we did a deny any any.


Re: ASA 7.X vpn-filter (group-policy)

I would highly recommend against the use of vpn-filter at this time. I attempted it on several versions of 7.2.1 and 7.2.2, even an engineering release given by tac which was supposed to work. I was able to get it to function, but at random times, the asa would begin to block all traffic on the tunnels.

I ended up doing away with "sysopt connection permit-ipsec" and using my regular interface acls for ipsec traffic filtering.

The direction of the acl is a little tricky. After much testing, I was able to determine that acl is "in outside interface". But the tricky part is it is not stateful! If you allow the traffic out from the inside, you must specifically allow the return traffic back in. It's kind of like writing an acl in a switch.

You should be able to restrict traffic from outside, make sure you apply the filter to group policy and then tear down the tunnel. If you dont tear it down and bring it back up, the changes won't be in effect.

CreatePlease to create content