Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Can Identity Firewall work with L2L IPSec


One of my customers has requested a L2L IPSec tunnel between a 3rd party ASA5505 and their central office 5510.

The tunnel works fine but they have asked to enable Identity Firewall against the incoming connections in relation to the IPSec tunnel.

I've read about sysopt and vpn filter. So there are 2 choices.

1. Disable access rule bypass for VPN connections via the sysopt command and configure the access rules accordingly.

2. Use the vpn filter mechanism and define the ACL / ACE w/ the Identity Firewall.

This is an excerpt from the Identity Firewall chapter ASA 9.0/ASDM 7.0.

VPN filter—Although VPN does not support identity  firewall ACLs in general, you can use configure the ASA to enforce  identity-based access rules on VPN traffic. By default, VPN traffic is  not subject to access rules. You can force VPN clients to abide by  access rules that use an identity firewall ACL (

no sysopt connection permit-vpn

command). You can also use an identity firewall ACL with the VPN filter  feature; VPN filter accomplishes a similar effect as allowing access  rules in general.

Has anyone attempted and succeeded with such a configuration? If so, did it support AD authentication or LOCAL only?

Thanks in advance for your input.

New Member

Can Identity Firewall work with L2L IPSec


CreatePlease to create content