Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1641
Views
0
Helpful
1
Replies

ASA vpn-filter stateless?

acomiskey
Level 10
Level 10

‎01-16-2007 06:29 AM - edited ‎03-11-2019 02:20 AM

ASA 7.2.1. I have added a vpn-filter acl to a l2l tunnel-group policy. I used the following cisco document "Restrict the Network Access of Remote Access VPN Users".

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Problem is, I have to explicitly allow the return traffic from any initiated connection. For example...

access-list 101 permit tcp host 172.25.0.1 host 172.16.0.1 eq telnet

access-list 101 permit tcp host 172.16.0.1 eq telnet host 172.25.0.1

I understand the acl needs to be written bidirectional, because it is not applied into or out of an interface, but shouldn't it be stateful? If not, what's the point of the vpn-filter?

Is my other option to remove "sysopt connection permit-ipsec" and put the vpn-filter acl's on the outside interface?

1 person had this problem
Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎01-16-2007 08:11 AM

Anyone have any more info on "vpn-filter"?

Searched for bugs, here are a few examples:

CSCse67035 - If filter is applied on the vpn tunnel permititing the outbound traffic,ASA drops the packet unless the return is allowed. (JUNKED - Why?)

CSCse74848 - Command Reference and Configuration Guide entries for vpn-filter lack clarity. The vpn-filter operates on the ingress VPN traffic and does not filter egress VPN traffic. (That would have been nice to know)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card