Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Implementing vpn-filter Cisco ASA 8.2(1)

Hi there,

I have configured a vpn-filter which should allow a RDP connection to just one server and block all other traffic. The direction of the traffic is from the local subnet to the remote host.

Local subnet

Remote host     192.168.253.x

My access-list looks like this:

access-list l2l_ACL permit tcp host eq 3389

Created a group-policy:

group-policy L2L_IGP internal

group-policy L2L_IGP attributes

vpn-filter value l2l_ACL

Applied the group-policy to the tunnel-group:

tunnel-group x.x.x.x general-attributes

default-group-policy L2L_IGP

I don't have anything configured regarding the statement "sysopt connection permit-vpn", i assume it's on by default.

Now, when i initiate a RDP to 192.168.254.x, i get a connection. It seems to me that the traffic is bypassed for some reason.

Any thoughts?


Super Bronze

Implementing vpn-filter Cisco ASA 8.2(1)


Can you post the output of

show run all sysopt

This will list the current setting for

sysopt connection permit-vpn

So are you saying that you LAN Users are connecting to the remote server with RDP and you want to limit this to only destination IP?

Are you also saying the LAN users are also able to connect to other remote IPs?

Can you also post the output of

show access-list l2l_ACL permit

- Jouni

New Member

Re: Implementing vpn-filter Cisco ASA 8.2(1)

Hi Jouni,

Thanks for your quick reply.

Output "show run all sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp outside

no sysopt noproxyarp dmz

no sysopt noproxyarp intern

no sysopt noproxyarp wds

no sysopt noproxyarp test

no sysopt noproxyarp guest

no sysopt noproxyarp management

I just want to allow a RDP connection to the remote host as mentioned. And yes, they can also connect to other remote IPs.

Output "show access-list l2l_ACL" (the permit option doesn't work)

access-list l2l_ACL line 1 extended permit tcp host eq 3389 (hitcnt=0) 0xf2d72120


Re: Implementing vpn-filter Cisco ASA 8.2(1)

Post config


New Member

Re: Implementing vpn-filter Cisco ASA 8.2(1)


Strange things have happened...

For whatever reason suddenly this morning the configured ACL, mentioned in my first post, is working . Because this ACL was for testing purposes,i removed it. But that didn't work either, it looked to me like it kept the configured ACL.

I will post my config soon.


New Member

Re: Implementing vpn-filter Cisco ASA 8.2(1)


I have replaced the ASA with another one (new version as well, 9.0.2). I am gonna try the same thing on this device, will get back if the problem comes back on this one.


CreatePlease to create content