cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
0
Helpful
1
Replies

In/Out ACLs per VPN on ASA

jasonww04
Level 1
Level 1

Is it possible to do this on an ASA? I can't understand how a router can do a better job with asymmetrical flow control than an ASA.

crypto map VPN 168 ipsec-isakmp
 description CUST-CareOne-LongRidge Site-to-Site
 set peer 108.170.125.242
 set ip access-group VPNCryptoMap168_in-ACL in
 set ip access-group VPNCryptoMap168_out-ACL out
 set transform-set AES256_SHA
 match address VPNCryptoMap168-ACL

ip access-list extended VPNCryptoMap168-ACL
 remark CUST-CareOne-LongRidge VPN Site-to-Site
 permit ip 10.61.0.0 0.0.255.255 172.18.61.0 0.0.0.255
ip access-list extended VPNCryptoMap168_in-ACL
 remark CUST-CareOne-LongRidge VPN Site-to-Site
 permit icmp any object-group CareOne_Somerset_restrict-og echo-reply
 permit udp any eq snmp host 10.61.23.101
 permit udp any host 10.61.23.101 eq tftp
 permit tcp any any established
 permit tcp any host 10.61.202.88 eq telnet www lpd 5357 5800 5900
ip access-list extended VPNCryptoMap168_out-ACL
 remark CUST-CareOne-LongRidge VPN Site-to-Site
 permit ip object-group CareOne_Somerset_restrict-og any

1 Accepted Solution

Accepted Solutions

Adeolu Owokade
Level 1
Level 1

Unfortunately, the "vpn-filter" option under the group-policy on the Cisco ASA only applies the VPN filter in the inbound direction and automatically configures the outbound direction. Refer to this link. There is a enhancement that has been opened to support VPN filters in each direction but it's not been implemented yet.

The only way I see is to change the default behavior and configure the ASA to subject VPN traffic to interface ACLs using the no sysopt connection permit-vpn command and then configure interface ACLs accordingly. I'm not sure if it's worth it to you.

View solution in original post

1 Reply 1

Adeolu Owokade
Level 1
Level 1

Unfortunately, the "vpn-filter" option under the group-policy on the Cisco ASA only applies the VPN filter in the inbound direction and automatically configures the outbound direction. Refer to this link. There is a enhancement that has been opened to support VPN filters in each direction but it's not been implemented yet.

The only way I see is to change the default behavior and configure the ASA to subject VPN traffic to interface ACLs using the no sysopt connection permit-vpn command and then configure interface ACLs accordingly. I'm not sure if it's worth it to you.