Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access rules over Site to Site VPN

Hi all,

I am Network admin at a organisation in Pune. We have site-to-site VPN with another organisation in Amsterdam.

       Pune                                                                 Amsterdam

ASA 5510(ASDM 6.3 ASA 8.3)     <------------>     ASA 5510(ASDM 6.2 ASA 8.2)

There is full (ip to ip) connectivity between two sites.

There have been numerous security attacks on the servers in Amsterdam. If the AMS network is compromised it could harm my local network.

So I want to apply Access-rules to the VPN such that only Pune site will be having full access to AMS but AMS will not be able to access resources at the Pune location.

I do not want to change the 'Bidirectional' connection type of the VPN.Also I do not want any config on AMS side.

I will appreciate all the help I get.

Thank you.


Access rules over Site to Site VPN


you can do it two ways -

1) Stop traffic at inside interface for pune permit only whatever is required.

2) Put VPN filter ACL at AMS to stop unwanted traffic,




Access rules over Site to Site VPN

VPN filters won't really work as expected because you can't define a direction when source and destination ports aren't defined.  For example:

access-list vpn-filter permit ip


access-list vpn-filter permit tcp

These filter rules, when applied to a group policy for your tunnel, will become bidirectional.  You can't specify which side is allowed to initiate a connection.

I would suggest (if you don't have a lot of other tunnels that will be affected) that you remove 'sysopt connection permit-vpn' and begin filtering on your outside interface to prevent inbound connections from the destination while allowing outbound connectivity from your internal interface.  Given that your outbound connections are TCP, the return traffic will be allowed since it's already in the fast path.

New Member

Access rules over Site to Site VPN

Thanks guys.

1. There are other VPNs on the device so cannot remove 'sysopt connection permit-vpn'.

2. Also, Cannot filter on inside interface as I have around 20 subinterfaces inside.

3. Let's say,AMS= and PUNE=

    If I configure access-list,

    access-list vpn-filter deny ip

    It will block traffic from ->,which is not desirable.

4. It is also not feasible to filter at the port level.

I am really thankful for all the replies.

CreatePlease login to create content