Showing results for 
Search instead for 
Did you mean: 

vpn-filter and interfac acl restriction


So site A has on inside and site B has on it's inside

We have ipsec L2L tunnel. We want filtering so that only ssh traffic goes over vpn (bidirectional)

on inside int of site A we have

acl_inside_site_A permit tcp eq 22

Crypto acl on site A is permit ip to

Assume that site B has permit ip any any on all of it's interfaces and is not using vpn-filters. Crypto acl on B is a simple permit ip from .2 to .1

Both ASAs have sysopt permit-vpn enabled

Now to restrict siteB to be able to connect to port 22 only of site A, do we need vpn-filter or  already existing

acl_inside_site_A permit tcp eq 22 would take care of that?

I believe

acl_inside_site_A permit tcp eq 22

would take care of filtering traffic inititated from A but to restrict vpn traffic only to ssh when it's initiated from site B, we will need the filter as

on site A, vpn-filter permit tcp eq 22

Am I correct or we don't need vpn-filter?


5 Replies 5


At this point it is up to you.

You could either use the filter or the access-group.

The benefit of using the access-group on the inside interface is that the traffic does not even flow across the tunnel, so you save bandwidth resources.

Keep me posted.


Please rate any helpful posts.

Message was edited by: Javier Portuguez

I think I wasn't clear with my question

What about traffic initiated by the other side though?

Non-ssh traffic from side B would come through ove rthe vpn and hit the box on side A. When side A replies, would that traffic go through because of stateful nature irrespective of

acl_inside_site_A line 1 permit tcp eq 22

acl_inside_site_A line 2  deny tcp 

If you are not going to add the ACL's on both sides then the VPN filter is the best option.

I am not concerned about the best option.

I wish to know if it would actually work the way I stated

It should work with the ACL as well, since you are only allowing SSH.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers