Solved: Locking down Site 2 Site IPsec vpn vpn-filter clarity?

craig.corbett · ‎11-03-2012

Can someone please provide some clarity and explanation to the vpn-filter feature?

I have a site to site vpn, local there are 2 subnets, and remote there are 4. I need to restrict the remote subnets from accessing one of the local subnets, but I need to allow both local subnets to access all 4 remote subnets. I don’t have control over the remote ACL’s. Can I do what I need to do with the vpn-filter feature configured on the local side only?

Software Version 8.2(1) - will be upgrading soon.

Comments, hints / tips, greatly appreciated.

Thanks.

Marcin Latosiewicz · ‎11-03-2012

What you need to remember is that VPN filter is applied as an access-list for all traffic from remote to your local LAN.

It is associated with particular SAs. The behavior is not fully stateful so take care of what you're doing :-)

It's all in command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630190

View solution in original post

Marcin Latosiewicz · ‎11-03-2012

What you need to remember is that VPN filter is applied as an access-list for all traffic from remote to your local LAN.

It is associated with particular SAs. The behavior is not fully stateful so take care of what you're doing :-)

It's all in command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630190