Showing results for 
Search instead for 
Did you mean: 

Question regarding ASA vfilter



i recently found out that Vfilter on ASA VPNs is considered stateless and always configured inbound. So let's take the following example:


If i want to ssh from R1 to R2, then i will need the following:

access-list VFILTER1 extended permit tcp eq 22

And if i was interested in doing ssh from R2 to R1, i would do this:

access-list VFILTER1 extended permit tcp eq 22
However, Since Stateless, i assume the above will allow the first 'flow' from R2 to R1, but R1 to R2 (return traffic) will be allowed by an existing acl on inside interface (if there is one) or by default from security zones?


4 Replies 4


VPN Filters are configured inbound direction, but they are bi-directional/stateful as the outbound rule is automatically compiled.


No interface level ACLs need to be configured, the sysopt connection permit-vpn command (which is default) allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists.


Your examples therefore look correct if applied to ASA1, they would be incorrect if applied to ASA2.



Yes, i was talking about config of ASA1. However, i do remember a friend mentioning that in his case a TAC engineer told him that vfilter is stateless, which is why im not sure i understand 'technically' how a stateless vfilter can bypass acls with sysopt and still allow the traffic from inside to outside (lets say SYN and ACK packets on 3way handshake).

Applied VPN Filter + capture of 3-way handshake




group-policy POLICY attributes
 vpn-filter value VPN_FILTER_HQ
ASA-2(config)# show run object in-line
object network LAN-1 subnet


ASA-2(config)# show run access-list
access-list VPN_FILTER_HQ extended permit tcp object LAN-1 eq telnet
access-list VPN_FILTER_HQ extended deny ip any any log

ASA-2(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list VPN_FILTER_HQ; 2 elements; name hash: 0xa3042b44
access-list VPN_FILTER_HQ line 1 extended permit tcp object LAN-1 eq telnet (hitcnt=2) 0x9249a9d4
  access-list VPN_FILTER_HQ line 1 extended permit tcp eq telnet (hitcnt=2) 0x9249a9d4
access-list VPN_FILTER_HQ line 2 extended deny ip any any log informational interval 300 (hitcnt=0) 0x69ad53d5

show capture CAPIN

43: 21:32:55.785527 > S 448803166:448803166(0) win 4128 <mss 536>
44: 21:32:55.790608 > S 1035867207:1035867207(0) ack 448803167 win 4128 <mss 536>
45: 21:32:55.821643 > . ack 1035867208 win 4128


Switch#show ip int br | inc Loopback

Trying ... Open

User Access Verification


Thanks, that helps   a lot. I assume it would be the same thing even if we had access lists defined and we werent based on security levels? Since sysopt command would bypass the acls?




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: