cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1011
Views
0
Helpful
3
Replies

Should I apply a single VPN Filter to multiple L2L VPNs, or should each VPN tunnel have their own VPN filter on an ASA?

jorkchristopher
Level 1
Level 1

I am currently trying to decide if when creating VPN filters, if I should just create a single one and apply it to the multiple VPN tunnels or if each VPN tunnel should have their own VPN filter. Creating a VPN filter for every VPN tunnel seems like added work but not sure if its the better choice. I have looked through documentation but they never mention applying VPN filters to multiple tunnels.

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jork,

If you add  one VPN filter for each tunnel group it will be more work but at the same thing you will have more control over the outside users attempting to connect to your network.

I would say that you will have different tunnel-groups ( each of them will have their own funcionallity ) so that is why its depending on what you are attempting to implement.

If the people that will use X tunnel-group are the same than the ones that will use Y tunnel-group then you can use the same one.

I hope I understood your question.

Regards.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jork,

If you add  one VPN filter for each tunnel group it will be more work but at the same thing you will have more control over the outside users attempting to connect to your network.

I would say that you will have different tunnel-groups ( each of them will have their own funcionallity ) so that is why its depending on what you are attempting to implement.

If the people that will use X tunnel-group are the same than the ones that will use Y tunnel-group then you can use the same one.

I hope I understood your question.

Regards.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

I think I'm leaning towards creating a VPN filter for each IPsec L2L tunnel because I can name them to refer to what they are being used for. If I create a single VPN filter for all of the tunnels, it would be hard to keep track of of what every single ACE is for.

Thanks!

Hello Jork,

That is correct, in fact that would be the best suggestion I could have provided you.

Is there something else I can do for you, if not please mark the question as answered.

Have a wonderful day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC