Thanks for getting back to me.

I understand what you're saying, but it seems fishy to me. The documentation I've found seems to specifically indicate that what I'm trying to do should work...

The VPN Filter works bi-directionally with a single ACL. The remote host/network is always defined at the beginning of the ACE , regardless of the direction of the ACE (inbound or outbound).
As ACL is stateful, if the traffic is allowed in one direction, then the return traffic for that flow is automatically allowed.

The specific example given in the documentation (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#bidf) is...

!--- This access list allows the traffic for the remote network 172.16.1.0 
!--- to the local web server on port 80. 
access-list 105 extended permit tcp 172.16.1.0 255.255.255.0 host 172.22.1.1 eq www
!--- This access list allows the traffic in the reverse direction,
!--- from 172.22.1.0 to 172.16.1.3 (ftp server). The remote host/network 
!--- is always defined as the first entry in 
!--- the ACE regardless of the direction.
access-list 105 extended permit tcp host 172.16.1.3 eq ftp 172.22.1.0 255.255.255.0

We do see the devices behave as expected when doing a 'permit ip' between the subnets, but when we 'permit tcp ... eq $PORT' the traffic is blocked. This is also the case where we specifically permit all traffic egress from the internal subnets with the access list and only filter return traffic, for example...

access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq ssh

access-list vpn_acl_x_x_x_x extended permit ip 10.10.0.0 255.255.192.0 any

access-list vpn_acl_x_x_x_x extended deny ip any any

... According to the documentation this should not be necessary but should take care of any bi-directionality issues you've described. I understand that applying acess controls to the internal interfaces will work, but it the documentation I've read indicates that we should be able to do this with the vpn-filter directive.

This seems like a pretty common question and I can't help but feel we're just missing something obvious. I'd love to get to the bottom of it... Thoughts?

Your ACL theory is absolutely correct when it is applied on ASA interfaces.

In this instant, the ACL is applied to vpn-filter, so it works a little differently, especially on L2L VPN as advised earlier.

I agree that it will allow the return traffic as it is stateful, but what you would need to add is the initial packet on the vpn-filter ACL, and the return traffic will definitely be allowed automatically.

OK, so with your example, here is what is required on the VPN filter:

SITE A:

access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

(line 1 is to allow SSH from 10.20.0.1 towards 10.10.0.1, and line 2 is to allow SSH from 10.10.0.1 and 10.20.0.1).

SITE B:

access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

Because vpn-filter ACL is actually applied on the local ASA, that is why you would need to allow traffic as it is inspected through the vpn-filter ACL. Think about the vpn-filter ACL as a global ACL (both inbound and outbound ACL) applied on the local ASA for the traffic within the VPN tunnel.

The configuration you've posted doesn't work in production because the source port is always a random unprivileged port, so you're unable to specify it in the ACL (unless, I guess you say 'gt 1023', which is a security issue in itself).

I understand what you're saying, but it's conflicting with the documentation, which specifically states that it should work;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#bidf

Interestingly, it also notes...

When a vpn-filter is applied to a group-policy 
that governs an L2L VPN connection, the ACL must be configured with the 
remote network in the src_ip position of the ACL and the local network 
in the dest_ip position of the ACL.
access-list   ip  


Exercise caution when you construct the ACLs for use with the  vpn-filter feature. The ACLs are constructed with the post-decrypted  traffic (inbound VPN traffic) in mind. However, they are also applied to  the traffic originated in the opposite direction.

... This explains why doing something like I posted in my last reply doesn't work. It's expecting the local network to be on the other side of the statement. In practice if this were implemented it would just allow all traffic from the other side of the network, defeating the point of having the filter in place.

The actual deny statements we're seeing are (on the source side)...

Mar 23 02:50:49 172.22.0.5 Mar 23 2011 05:27:43: %ASA-4-106103: access-list vpn_acl_x_x_x_x denied tcp for user '' inside-data/10.10.0.1(54747) -> outside-iptrans/10.20.0.1(22) hit-cnt 1 first hit [0xd8d1c1b4, 0x0

When we try to apply a rule allowing all ip traffic from the source side it doesn't make a difference (although the documentation states that we don't need to do this).

Apology, it should be as follows:

SITE A:

access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1

SITE B:

access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 eq 22 host 10.20.0.1

Here is the documentation bug that has been raised, and I agree, it is quite confusing with vpn-filter on L2L: CSCse74848

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse74848

Awesome! So, we can do what we need to do with the vpn-filter directive, it's just that each statement requires 2 ACE's. I knew I wasn't completely insane. Thanks for your help and clarification, it's greatly appreciated.

Done & Done. I've updated the thread name to make it easier to find. Thanks again.

There seems to be a fundamental problem with vpn-filter.

I want to allow all traffic from site A to site B, but none originated from site B to site A (site A is the trusted/management network, site B is the untrusted/service network)

Even though vpn-filter is supposed to be stateful, the same filter is applied to both inbound and outbound traffic. So as soon as you add a filter which permits traffic from A to B, it also permits traffic from B to A!

Tested between an ASA5505 and an ASA5520, both running 8.4(3).

So far I have been unable to find a way around this problem, other than:

(1) applying interface ACLs on all the interfaces at site B, blocking traffic to site A's address range; or

(2) "no sysopt connection permit-vpn" at site A, then having to apply explicit ACLs for all the other VPNs coming into site A (e.g. remote-access clients)

Both of these approaches seem to defeat the intended purpose of vpn-filter.

Regards,

Brian.