Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
10
Helpful
3
Replies

vpn-filter question

jjoseph01
Level 3
Level 3

‎01-21-2013 10:51 PM

Hi all.  I think I get the vpn-filter purpose, but my question is that IF I prefer to do my interesting traffic ACL with port numbers specified, and not use the vpn-filter option, will this not work as well?  That is how Im used to configuring site to site vpns and this vpn-filter thing is just odd to me.  I have ASA version 8.4(2), so will I have to use the vpn-filter option to only allow certain ports across the vpn?  Thanks in advance.

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎01-21-2013 10:57 PM

Your approach with the ports in the crypto-acl will work if configured correctly. In practice, I've seen many problems due to this way of configuration. Keep in mind that the ACL has to be mirrored on the other side in most cases.

And you will consume more ressorces on your VPN-gateways as you get one pair of IPSec-SAs per line in the crypto-ACL.


Sent from Cisco Technical Support iPad App

Jouni Forss
VIP Alumni
VIP Alumni
In response to Karsten Iwen

‎01-21-2013 11:08 PM

Hi,

I would have to agree with Karsten with regards to the Crypto ACL.

Even though that way of configuring the ACL is more specific, its very much likely to cause problems and missmatches with the L2L VPN configuration between the peers.

Then again especially in the case of L2L VPN the VPN Filter ACLs are pretty confusing at times and they dont quite work with the same logic than the usual ACLs. This is because a single Filter ACL line works for traffic in both direction. So it potentitally opens something that you dont want to open.

I would suggest a different approach

  • Configure your L2L VPN Crypto ACLs with all the hosts/subnets that you might require to communicate with eachother
  • disable the "sysopt" setting that permits all VPN traffic to bypass your "outside" interface (whatever it might be named) ACL
  • Now you can allow or deny all L2L VPN traffic as you would do for normal Internet traffic. Even though it might bloat the ACL I think it keeps the setup easier to manage and there arent many ACLs to keep track of.

Naturally the above setup would require to go through the whole setup and depending on current setup might require too much work for one to start changing to it. I just have found it to be pretty easy to manage and really straightforward approach to controlling VPN traffic for both Clients and Sites.

Most other environments that I manage have a totally separate VPN device. VPN user connections are also controlled at the actual firewall device (different from the VPN device) for all the VPN traffic

- Jouni

jjoseph01
Level 3
Level 3

‎01-22-2013 04:15 AM

thank you both. you have been very helpful to me and i appreciate it.


Sent from Cisco Technical Support Android App

0 Helpful
Customers Also Viewed These Support Documents