And if i was interested in doing ssh from R2 to R1, i would do this:
access-list VFILTER1 extended permit tcp 184.108.40.206 255.255.255.0 220.127.116.11 255.255.255.0 eq 22 However, Since Stateless, i assume the above will allow the first 'flow' from R2 to R1, but R1 to R2 (return traffic) will be allowed by an existing acl on inside interface (if there is one) or by default from security zones?
VPN Filters are configured inbound direction, but they are bi-directional/stateful as the outbound rule is automatically compiled.
No interface level ACLs need to be configured, the sysopt connection permit-vpn command (which is default) allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists.
Your examples therefore look correct if applied to ASA1, they would be incorrect if applied to ASA2.
Yes, i was talking about config of ASA1. However, i do remember a friend mentioning that in his case a TAC engineer told him that vfilter is stateless, which is why im not sure i understand 'technically' how a stateless vfilter can bypass acls with sysopt and still allow the traffic from inside to outside (lets say SYN and ACK packets on 3way handshake).