vpn filter query

rathinilesh · ‎06-13-2011

Hi,

I have a query about traffic traversing a site-to-site vpn tunnel

My client want to route all "ip" traffic from a network a.b.c.d /24 to e.f.g.h /24 over the vpn except "smtp" traffic

They want "smtp" traffic from a.b.c.d /24 to e.f.g.h /24 to by-pass the vpn and escape to internet directly

Both the address ranges (a.b.c.d /24 and e.f.g.h /24) are globally routable(as they are public addresses)

The vpn device on my side is a Cisco ASA5520 running software version 7.0

Would a "vpn-filter" be the solution I am looking at?

Any suggestions on this issue would be helpful. Thanks

Regards,

Nilesh

kiran kumar Chamakura · ‎06-13-2011

Hi Nilesh,

Hope this will help.

access-list 103 extended deny tcp any x.x.x.x x.x.x.x log

access-list 103 extended permit ip any any

group-policy filter internal

group-policy filter attributes

vpn-filter value 103

access-group 103 in interface outside

tunnel-group (Remote Peer IP) x.x.x.x general-attributes

default-group-policy filter

rathinilesh · ‎06-13-2011

Hi Kiran,

Thank you for your reply.

The acces-list 103 will block all "tcp" traffic. I will modify it though.

My concern is about the denied traffic. Does the traffic that is denied under a vpn-filter, escape to the internet by-passing the vpn?

Regards,

Nilesh

praprama · ‎06-29-2011

Hi Nilesh,

To your question, the answer is no. Traffic denied by the VPN filter will be dropped and not sent to the internet.

Regards,

Prapanch