topic Re: ASA vpn-filter stateless? in Network Security https://community.cisco.com/t5/network-security/asa-vpn-filter-stateless/m-p/633733#M1028801 <HTML><HEAD></HEAD><BODY><P>Anyone have any more info on "vpn-filter"?</P><P></P><P>Searched for bugs, here are a few examples:</P><P></P><P>CSCse67035 - If filter is applied on the vpn tunnel permititing the outbound traffic,ASA drops the packet unless the return is allowed. (JUNKED - Why?)</P><P></P><P>CSCse74848 - Command Reference and Configuration Guide entries for vpn-filter lack clarity. The vpn-filter operates on the ingress VPN traffic and does not filter egress VPN traffic. (That would have been nice to know)</P><P></P><P></P><P></P></BODY></HTML> Tue, 16 Jan 2007 16:11:05 GMT acomiskey 2007-01-16T16:11:05Z ASA vpn-filter stateless? https://community.cisco.com/t5/network-security/asa-vpn-filter-stateless/m-p/633732#M1028798 <P>ASA 7.2.1. I have added a vpn-filter acl to a l2l tunnel-group policy. I used the following cisco document "Restrict the Network Access of Remote Access VPN Users".</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml</A></P><P></P><P>Problem is, I have to explicitly allow the return traffic from any initiated connection. For example...</P><P></P><P>access-list 101 permit tcp host 172.25.0.1 host 172.16.0.1 eq telnet</P><P>access-list 101 permit tcp host 172.16.0.1 eq telnet host 172.25.0.1</P><P></P><P>I understand the acl needs to be written bidirectional, because it is not applied into or out of an interface, but shouldn't it be stateful? If not, what's the point of the vpn-filter?</P><P></P><P>Is my other option to remove "sysopt connection permit-ipsec" and put the vpn-filter acl's on the outside interface?</P> Mon, 11 Mar 2019 09:20:07 GMT https://community.cisco.com/t5/network-security/asa-vpn-filter-stateless/m-p/633732#M1028798 acomiskey 2019-03-11T09:20:07Z Re: ASA vpn-filter stateless? https://community.cisco.com/t5/network-security/asa-vpn-filter-stateless/m-p/633733#M1028801 <HTML><HEAD></HEAD><BODY><P>Anyone have any more info on "vpn-filter"?</P><P></P><P>Searched for bugs, here are a few examples:</P><P></P><P>CSCse67035 - If filter is applied on the vpn tunnel permititing the outbound traffic,ASA drops the packet unless the return is allowed. (JUNKED - Why?)</P><P></P><P>CSCse74848 - Command Reference and Configuration Guide entries for vpn-filter lack clarity. The vpn-filter operates on the ingress VPN traffic and does not filter egress VPN traffic. (That would have been nice to know)</P><P></P><P></P><P></P></BODY></HTML> Tue, 16 Jan 2007 16:11:05 GMT https://community.cisco.com/t5/network-security/asa-vpn-filter-stateless/m-p/633733#M1028801 acomiskey 2007-01-16T16:11:05Z