Solved: L2L IPSec Policy based VPN Port Restriction

Praveen Kumar · ‎11-06-2023

We have about 100 VPN tunnels on the FTD managed by FMC.
> All tunnels are policy based IPSec tunnels
> All tunnel "End Point" use standard ACL
> All tunnels have "sysopt permit-vpn" enabled

Now, we want the newer tunnels to have port level restrictions in addtion to IP. How can this be accomplished? I see "Access List (Extended)" under "Protected Networks:" but I am not sure if that is the best option. Please advise.

Rob Ingram · ‎11-06-2023

@Praveen Kumar ok, I think VPN filters where added to the GUI in 7.1, so you could try deploying using flexconfig or upgrade to 7.2.

View solution in original post

Rob Ingram · ‎11-06-2023

@Praveen Kumar you can apply a VPN filter to the newer tunnels to restrict the VPN traffic on a per tunnel basis.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html?bookSearch=true

Praveen Kumar · ‎11-06-2023

Thanks for the quick response. I forgot to mention that our FMC is on version 7.0.6.

Rob Ingram · ‎11-06-2023

@Praveen Kumar ok, I think VPN filters where added to the GUI in 7.1, so you could try deploying using flexconfig or upgrade to 7.2.

Praveen Kumar · ‎11-06-2023

Thanks.