Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
20
Helpful
4
Replies

Question regarding ASA vfilter

Melinbonian
Level 1
Level 1

‎02-18-2019 05:28 AM

Hello

i recently found out that Vfilter on ASA VPNs is considered stateless and always configured inbound. So let's take the following example:

R1---20.0.0.0/24---ASA1---(10.0.0.0/24)-----ASA2----30.0.0.0/24---R2

If i want to ssh from R1 to R2, then i will need the following:

access-list VFILTER1 extended permit tcp 30.0.0.0 255.255.255.0 eq 22 20.0.0.0 255.255.255.0


And if i was interested in doing ssh from R2 to R1, i would do this:

access-list VFILTER1 extended permit tcp 30.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 22
However, Since Stateless, i assume the above will allow the first 'flow' from R2 to R1, but R1 to R2 (return traffic) will be allowed by an existing acl on inside interface (if there is one) or by default from security zones?

 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎02-18-2019 08:35 AM

Hi,

VPN Filters are configured inbound direction, but they are bi-directional/stateful as the outbound rule is automatically compiled.

 

No interface level ACLs need to be configured, the sysopt connection permit-vpn command (which is default) allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists.

 

Your examples therefore look correct if applied to ASA1, they would be incorrect if applied to ASA2.

 

HTH

Melinbonian
Level 1
Level 1
In response to Rob Ingram

‎02-18-2019 11:55 AM

Yes, i was talking about config of ASA1. However, i do remember a friend mentioning that in his case a TAC engineer told him that vfilter is stateless, which is why im not sure i understand 'technically' how a stateless vfilter can bypass acls with sysopt and still allow the traffic from inside to outside (lets say SYN and ACK packets on 3way handshake).

Rob Ingram
VIP
VIP
In response to Melinbonian

‎02-18-2019 01:44 PM

Applied VPN Filter + capture of 3-way handshake

 

ASA CONFIGURATION:-

 

group-policy POLICY attributes
 vpn-filter value VPN_FILTER_HQ
 
ASA-2(config)# show run object in-line
object network LAN-1 subnet 10.20.0.0 255.255.255.0

 

ASA-2(config)# show run access-list
access-list VPN_FILTER_HQ extended permit tcp 10.10.0.0 255.255.255.0 object LAN-1 eq telnet
access-list VPN_FILTER_HQ extended deny ip any any log

 
ASA-2(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list VPN_FILTER_HQ; 2 elements; name hash: 0xa3042b44
access-list VPN_FILTER_HQ line 1 extended permit tcp 10.10.0.0 255.255.255.0 object LAN-1 eq telnet (hitcnt=2) 0x9249a9d4
  access-list VPN_FILTER_HQ line 1 extended permit tcp 10.10.0.0 255.255.255.0 10.20.0.0 255.255.255.0 eq telnet (hitcnt=2) 0x9249a9d4
access-list VPN_FILTER_HQ line 2 extended deny ip any any log informational interval 300 (hitcnt=0) 0x69ad53d5

show capture CAPIN

43: 21:32:55.785527       10.10.0.1.40422 > 10.20.0.2.23: S 448803166:448803166(0) win 4128 <mss 536>
44: 21:32:55.790608       10.20.0.2.23 > 10.10.0.1.40422: S 1035867207:1035867207(0) ack 448803167 win 4128 <mss 536>
45: 21:32:55.821643       10.10.0.1.40422 > 10.20.0.2.23: . ack 1035867208 win 4128

TESTING:-


Switch#show ip int br | inc Loopback
Loopback0              10.10.0.1  

Switch#telnet 10.20.0.2
Trying 10.20.0.2 ... Open

User Access Verification

Username:

alexk1041
Level 1
Level 1
In response to Rob Ingram

‎02-25-2019 01:00 AM

Thanks, that helps   a lot. I assume it would be the same thing even if we had access lists defined and we werent based on security levels? Since sysopt command would bypass the acls?

 

 

 

Customers Also Viewed These Support Documents