https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012919#M23148 <P>Hello</P><P>&nbsp;</P><P>Does this mean, irrespective of the direction of the traffic flow in the tunnel, the VPN filter ACL should always have the Remote Network as Source and the Local Network as Destination?</P> Thu, 16 Jan 2020 19:32:16 GMT ravindra962 2020-01-16T19:32:16Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012893#M23146 <P>Hello</P><P>&nbsp;</P><P>I have Some questions regarding the VPN filter ACL Functionality.</P><P>I recently configured a Route Based VPN Tunnel between my ASA and Azure Cloud. There are two ACL's here. The INSIDE interface has an an ACL applied and then I also Put a VPN filter ACL in this route based VPN tunnel.</P><P>Local Host: 1.1.1.1</P><P>Azure Host: 2.2.2.2</P><P>The vpn filter ACL is</P><P>access-list vpnfilter extended pemit tcp host 1.1.1.1 host 2.2.2.2 eq 22</P><P>&nbsp;</P><P>When we started testing I see the access allowed on the Interface ACL, but the access is blocked by the filter ACL</P><P>Then I was told my filter ACL is wrong and it should be put in the below way</P><P>access-list vpnfilter extended pemit tcp&nbsp; host 2.2.2.2 host 1.1.1.1 eq 22</P><P>&nbsp;</P><P>Can anyone please help me understand why I should flip my filter ACL for this to work?</P><P>&nbsp;</P><P>Thanks</P><P>Ravi</P> Thu, 16 Jan 2020 18:48:35 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012893#M23146 ravindra962 2020-01-16T18:48:35Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012898#M23147 <P>Hi,</P><P>The ASA VPN Filter is configured differently than a normal ACL, with the remote network as source and the local network as destination.</P><P>&nbsp;</P><P>Reference <A href="https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html" target="_self">here.</A> Quote from reference - "When a vpn-filter is applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL".</P><P>&nbsp;</P><P>HTH</P> Thu, 16 Jan 2020 18:54:36 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012898#M23147 Rob Ingram 2020-01-16T18:54:36Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012919#M23148 <P>Hello</P><P>&nbsp;</P><P>Does this mean, irrespective of the direction of the traffic flow in the tunnel, the VPN filter ACL should always have the Remote Network as Source and the Local Network as Destination?</P> Thu, 16 Jan 2020 19:32:16 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012919#M23148 ravindra962 2020-01-16T19:32:16Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012921#M23149 Hi,<BR />Yes, that's correct.<BR /><BR />HTH Thu, 16 Jan 2020 19:35:32 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012921#M23149 Rob Ingram 2020-01-16T19:35:32Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012957#M23152 <P>So, in the below VPN filter&nbsp; ACL traffic is allowed on Port 22 bidirectionally?&nbsp; (Local to Remote and Remote to Local)</P><P>&nbsp;</P><P><SPAN>access-list vpnfilter extended pemit tcp&nbsp; host 2.2.2.2 host 1.1.1.1 eq 22</SPAN></P> Thu, 16 Jan 2020 20:09:20 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012957#M23152 ravindra962 2020-01-16T20:09:20Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012967#M23155 It would permit traffic from host 1.1.1.1 if the source is tcp/22. If the source port is not tcp/22 then define another entry in the ACL.<BR /><BR />Try something like this:- "access-list vpnfilter permit tcp host 2.2.2.2 eq 22 host 1.1.1.1" Thu, 16 Jan 2020 20:18:08 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4012967#M23155 Rob Ingram 2020-01-16T20:18:08Z https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4013009#M23157 <P>Understood</P><P>The control on the VPN filter is defined by how you out the port.</P><P>Thank you very much</P> Thu, 16 Jan 2020 20:54:42 GMT https://community.cisco.com/t5/network-security/vpn-filter-acl-functionality/m-p/4013009#M23157 ravindra962 2020-01-16T20:54:42Z