Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1971
Views
5
Helpful
6
Replies

VPN Filter ACL - Functionality

Go to solution
ravindra962
Level 1
Level 1

‎01-16-2020 10:48 AM

Hello

 

I have Some questions regarding the VPN filter ACL Functionality.

I recently configured a Route Based VPN Tunnel between my ASA and Azure Cloud. There are two ACL's here. The INSIDE interface has an an ACL applied and then I also Put a VPN filter ACL in this route based VPN tunnel.

Local Host: 1.1.1.1

Azure Host: 2.2.2.2

The vpn filter ACL is

access-list vpnfilter extended pemit tcp host 1.1.1.1 host 2.2.2.2 eq 22

 

When we started testing I see the access allowed on the Interface ACL, but the access is blocked by the filter ACL

Then I was told my filter ACL is wrong and it should be put in the below way

access-list vpnfilter extended pemit tcp  host 2.2.2.2 host 1.1.1.1 eq 22

 

Can anyone please help me understand why I should flip my filter ACL for this to work?

 

Thanks

Ravi

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-16-2020 12:18 PM

It would permit traffic from host 1.1.1.1 if the source is tcp/22. If the source port is not tcp/22 then define another entry in the ACL.

Try something like this:- "access-list vpnfilter permit tcp host 2.2.2.2 eq 22 host 1.1.1.1"

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-16-2020 10:54 AM

Hi,

The ASA VPN Filter is configured differently than a normal ACL, with the remote network as source and the local network as destination.

 

Reference here. Quote from reference - "When a vpn-filter is applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL".

 

HTH

0 Helpful

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-16-2020 11:32 AM

Hello

 

Does this mean, irrespective of the direction of the traffic flow in the tunnel, the VPN filter ACL should always have the Remote Network as Source and the Local Network as Destination?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-16-2020 11:35 AM

Hi,
Yes, that's correct.

HTH
0 Helpful

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-16-2020 12:09 PM

So, in the below VPN filter  ACL traffic is allowed on Port 22 bidirectionally?  (Local to Remote and Remote to Local)

 

access-list vpnfilter extended pemit tcp  host 2.2.2.2 host 1.1.1.1 eq 22

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-16-2020 12:18 PM

It would permit traffic from host 1.1.1.1 if the source is tcp/22. If the source port is not tcp/22 then define another entry in the ACL.

Try something like this:- "access-list vpnfilter permit tcp host 2.2.2.2 eq 22 host 1.1.1.1"

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-16-2020 12:54 PM

Understood

The control on the VPN filter is defined by how you out the port.

Thank you very much

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card