Solved: Hi Karsten,

mahesh18 · ‎12-01-2015

Hi Everyone,

We are setting up site to site ipsec with vendor.

For security reasons we do not want to allow all traffic via tunnel.

ASA has 2 interfaces inside and outside.

We have deny ip any any on outside interface.

I have config vpn filer ACL to allow traffic on ports ssh,icmp via the tunnel.

Then i applied this under the group policy.

vpn-filter value name.

Need to confirm do i also need to allow ipec protocols like esp etc under VPN filter ACL?

Regards

MAhesh

Karsten Iwen · ‎12-01-2015

The vpn-filter is only applied on the traffic that flows through the tunnel. You don't need to allow any traffic that "builds" the VPN like IKE and IPsec.

On the ASA, you also don't need to add this traffic to your outside ACL as it is needed on the IOS routers.

For the vpn-filter, just be aware that the syntax ist not

permit/deny PROTOCOL SOURCE DESTINATION

It is

permit/deny PROTOCOL REMOTE LOCAL

that is relevant when you want to filter traffic from your network to the peers network.

View solution in original post

Karsten Iwen · ‎12-01-2015

The vpn-filter is only applied on the traffic that flows through the tunnel. You don't need to allow any traffic that "builds" the VPN like IKE and IPsec.

On the ASA, you also don't need to add this traffic to your outside ACL as it is needed on the IOS routers.

For the vpn-filter, just be aware that the syntax ist not

permit/deny PROTOCOL SOURCE DESTINATION

It is

permit/deny PROTOCOL REMOTE LOCAL

that is relevant when you want to filter traffic from your network to the peers network.

mahesh18 · ‎12-01-2015

Hi Karsten,

Thanks for great explanation.

Best Regards

Mahesh

Vpn-filer config on VPN traffic