03-20-2013 04:15 AM
Hello,
I need some clarification on the differences between a VPN-Filter v an Interface filter.
I am using an ipsec crypto tunnel between our site using ASA 5525 and a remote client who are using a Palo Alto Firewall.
I have applied a vpn-filter on the tunnel for these sites but I am being told that an interface filter would have been more simplier.
In terms of security which method is the best approach ?
Jay
08-21-2013 05:56 AM
Hi Fredy,
Yes, the VPN filter works in the same way for AnyConnect and IPse clients.
I think the "sysopt connection permit-vpn" is a powerful feature when you have hundreds of tunnels which generate tons of ACE's.
With that said, it is pretty common to see that feature enabled (it is by default),but it really depends on the way you want / need to control the VPN traffic.
HTH.
09-04-2013 02:43 PM
I have a question about vpn-filter / access-lists in interfaces. Still not understood completely, mainly for flows originated in inside, not remotely in VPN.
Assume that I have a flow inside(local) -> outside(remote), tunneled.I have the interface access-list (for example "inside_in") applied in interface "inside". But I also have a VPN-filter.
When I permit the flow inside -> outside in interface access-list "inside_in", do I have to perform the same in VPN-filter?...or only in "inside_in" is enough and VPN-filter is only for flows originated in remote side?
I'm using the sysopt default for VPN, trusting in crypto-map.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide