Showing results for 
Search instead for 
Did you mean: 


VPN traffic between interfaces

Our ASA 5520 firewall is running 8.0(4) IOS.

I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.

With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.

The security level on the ENG interface is set at 50.

The security level on the destination interface PRODUCTION is set at 40.


Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).


Could I get a sanity check on this setup?

To me, this design seems flawed.

All comments are welcomed - PLEASE..





Not sure if I am 100% right, but VPN is considered "trusted" so configured security levels on remote ASA will have little effect.

What you can do is easy:


As protected traffic, do not specify anything you do not want to go across.

If there are port and protocols involved, you can create VPN filter (ACL) that works in both way, so that can add additional layer of security.


Also, access-group configured on interface that doesn't terminate VPN (e.g. inside) configured in OUT direction, can deny traffic. so you can place them if you want to protect parts of your network.


I noticed that when I added a new L2L VPN, the firewall IOS automatically created an ACL; is this the "VPN filter" you are referring to in your first response?


Is there any difference between the VPN filter ACL and a normal interface ACL other than where they are applied and the VPN filter encrypts permitted egress traffic?


Thanks again



Not quite...

There are several access-lists, that has completely different roles...

ACL that you use on your crypto map: that is used to define protected traffic (traffic that should be transported through the tunnel)

ACL2 that you can use for VPN-filter:

access-list 105 extended permit tcp host eq 3389

access-list 105 extended permit tcp host eq 3389

group-policy RDP attributes

vpn-filter 105

This way, I used another access list to allow only RDP to my hosts from network

ACL3 can be used on your inside interface, for traffic going to your inside network (interface inisde direction out) where you can allow which traffic will you allow into your network. That will apply for VPN and non-VPN traffic.

Content for Community-Ad