Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Green

ASA vpn-filter stateless?

ASA 7.2.1. I have added a vpn-filter acl to a l2l tunnel-group policy. I used the following cisco document "Restrict the Network Access of Remote Access VPN Users".

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Problem is, I have to explicitly allow the return traffic from any initiated connection. For example...

access-list 101 permit tcp host 172.25.0.1 host 172.16.0.1 eq telnet

access-list 101 permit tcp host 172.16.0.1 eq telnet host 172.25.0.1

I understand the acl needs to be written bidirectional, because it is not applied into or out of an interface, but shouldn't it be stateful? If not, what's the point of the vpn-filter?

Is my other option to remove "sysopt connection permit-ipsec" and put the vpn-filter acl's on the outside interface?

1 REPLY
Green

Re: ASA vpn-filter stateless?

Anyone have any more info on "vpn-filter"?

Searched for bugs, here are a few examples:

CSCse67035 - If filter is applied on the vpn tunnel permititing the outbound traffic,ASA drops the packet unless the return is allowed. (JUNKED - Why?)

CSCse74848 - Command Reference and Configuration Guide entries for vpn-filter lack clarity. The vpn-filter operates on the ingress VPN traffic and does not filter egress VPN traffic. (That would have been nice to know)

811
Views
0
Helpful
1
Replies
CreatePlease to create content