12-01-2015 02:07 PM
Hi Everyone,
We are setting up site to site ipsec with vendor.
For security reasons we do not want to allow all traffic via tunnel.
ASA has 2 interfaces inside and outside.
We have deny ip any any on outside interface.
I have config vpn filer ACL to allow traffic on ports ssh,icmp via the tunnel.
Then i applied this under the group policy.
vpn-filter value name.
Need to confirm do i also need to allow ipec protocols like esp etc under VPN filter ACL?
Regards
MAhesh
Solved! Go to Solution.
12-01-2015 02:43 PM
The vpn-filter is only applied on the traffic that flows through the tunnel. You don't need to allow any traffic that "builds" the VPN like IKE and IPsec.
On the ASA, you also don't need to add this traffic to your outside ACL as it is needed on the IOS routers.
For the vpn-filter, just be aware that the syntax ist not
permit/deny PROTOCOL SOURCE DESTINATION
It is
permit/deny PROTOCOL REMOTE LOCAL
that is relevant when you want to filter traffic from your network to the peers network.
12-01-2015 02:43 PM
The vpn-filter is only applied on the traffic that flows through the tunnel. You don't need to allow any traffic that "builds" the VPN like IKE and IPsec.
On the ASA, you also don't need to add this traffic to your outside ACL as it is needed on the IOS routers.
For the vpn-filter, just be aware that the syntax ist not
permit/deny PROTOCOL SOURCE DESTINATION
It is
permit/deny PROTOCOL REMOTE LOCAL
that is relevant when you want to filter traffic from your network to the peers network.
12-01-2015 02:49 PM
Hi Karsten,
Thanks for great explanation.
Best Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide