VPN-Filter v Interface ACLs on ASA 5525 - Page 2

j44mistry · ‎03-20-2013

Hello,

I need some clarification on the differences between a VPN-Filter v an Interface filter.

I am using an ipsec crypto tunnel between our site using ASA 5525 and a remote client who are using a Palo Alto Firewall.

I have applied a vpn-filter on the tunnel for these sites but I am being told that an interface filter would have been more simplier.

In terms of security which method is the best approach ?

Jay

Javier Portuguez · ‎08-21-2013

Hi Fredy,

Yes, the VPN filter works in the same way for AnyConnect and IPse clients.

I think the "sysopt connection permit-vpn" is a powerful feature when you have hundreds of tunnels which generate tons of ACE's.

With that said, it is pretty common to see that feature enabled (it is by default),but it really depends on the way you want / need to control the VPN traffic.

HTH.

Christian Jorge · ‎09-04-2013

I have a question about vpn-filter / access-lists in interfaces. Still not understood completely, mainly for flows originated in inside, not remotely in VPN.

Assume that I have a flow inside(local) -> outside(remote), tunneled.I have the interface access-list (for example "inside_in") applied in interface "inside". But I also have a VPN-filter.

When I permit the flow inside -> outside in interface access-list "inside_in", do I have to perform the same in VPN-filter?...or only in "inside_in" is enough and VPN-filter is only for flows originated in remote side?

I'm using the sysopt default for VPN, trusting in crypto-map.

Regards