Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1775
Views
0
Helpful
5
Replies

VPN filter on ASA for inboud and outbound traffic?

kashif.rana
Level 1
Level 1

‎06-30-2018 12:19 PM - edited ‎03-12-2019 05:25 AM

Hello Experts

 

IPSEC vpn filter ACL are applied for inbound traffic or outbound traffic only?

Also if no vpn filter ACL configured, then outbound traffic is allowed as per inside ACL?

Also if vpn filter ACL configured ( (whose last statement is deny ip any any), then outbound traffic is allowed as per inside ACL and then I have to allow same in vpn filter ACL also?

Also if no vpn filter ACL configured, then all inbound vpn traffic is allowed as per crypto map ACL?

 

Regards,

 

KR

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎06-30-2018 12:45 PM

You need show us your topology, how you designed.

 

The ACL requirements based on  requirement.

If the Outbound traffic coming in you need outside ACL to allow in

If the Connection going  from internal to external, you need ACL inside allow to outside.

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kashif.rana
Level 1
Level 1
In response to balaji.bandi

‎06-30-2018 02:13 PM

Hi

I have a flow inside(local) -> outside(remote), tunneled.I have the interface access-list (for example "inside_in") applied in interface "inside". But I also have a VPN-filter (whose last statement is deny ip any any)

When I permit the flow inside -> outside in interface access-list "inside_in", do I have to perform the same in VPN-filter?...or only in "inside_in" is enough and VPN-filter is only for flows originated in remote side?

0 Helpful

Rob Ingram
VIP
VIP

‎06-30-2018 02:13 PM

VPN Filter rules are applied in the inbound direction, but the rules are applied bidirectional.

 

If you do not have a VPN Filter specified then what ever you permitted in your crypto map acl will be encrypted and therefore permitted.

 

Here is some useful links and examples which should address your questions:-

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

https://popravak.wordpress.com/2011/11/05/cisco-asa-vpn-filter-as-i-see-it/

 

HTH

0 Helpful

kashif.rana
Level 1
Level 1
In response to Rob Ingram

‎06-30-2018 02:15 PM

Thanks. But how about below outbound traffic passing through vpn,

 

I have a flow inside(local) -> outside(remote), tunneled.I have the interface access-list (for example "inside_in") applied in interface "inside". But I also have a VPN-filter (whose last statement is deny ip any any)

When I permit the flow inside -> outside in interface access-list "inside_in", do I have to perform the same in VPN-filter?...or only in "inside_in" is enough and VPN-filter is only for flows originated in remote side?

0 Helpful

Rob Ingram
VIP
VIP
In response to kashif.rana

‎06-30-2018 02:18 PM

VPN traffic is not filtered by interface ACLs < this is mentioned in one of the links I sent. So therefore if you want to filter traffic over the VPN you'd use the VPN Filter.

HTH
0 Helpful
Customers Also Viewed These Support Documents