What direction are the ACLs supposed to work for the vpn-filter command in a group-policy? We intended the use of this to filter traffic for this particular group to the inside subnet as well as VLANs routed through the inside/core switch. However it seemed we could not restrict access to the inside subnet unless we did a deny any any.
I would highly recommend against the use of vpn-filter at this time. I attempted it on several versions of 7.2.1 and 7.2.2, even an engineering release given by tac which was supposed to work. I was able to get it to function, but at random times, the asa would begin to block all traffic on the tunnels.
I ended up doing away with "sysopt connection permit-ipsec" and using my regular interface acls for ipsec traffic filtering.
The direction of the acl is a little tricky. After much testing, I was able to determine that acl is "in outside interface". But the tricky part is it is not stateful! If you allow the traffic out from the inside, you must specifically allow the return traffic back in. It's kind of like writing an acl in a switch.
You should be able to restrict traffic from outside, make sure you apply the filter to group policy and then tear down the tunnel. If you dont tear it down and bring it back up, the changes won't be in effect.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :