Cisco ASA – How do VPN Filters work ?

Introduction

Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall.

As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

Note : When the command ‘sysopt connection permit-ipsec’ is applied, all traffic that transverses the ASA via a VPN bypasses any interface access-lists (versions lower 7.1 use ‘sysopt connection permit-ipsec’).

Syntax

VPN filters are configured by defining an ACL, assigning the ACL to a group-policy and then assigning the group-policy to your tunnel-group.

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITEA

How do they work ?

The interesting part (and typically the most confusing) is how the ACL is defined.
When an ACL is applied to an interface, we define when it should permit (or deny) traffic that is either going in or out of the interface.

However with a VPN filter the ACL,(which is stateful) it is applied to traffic, both bi-bidirectionally and to all interfaces. Because of this the definition of the source and destination fields within the ACL do not apply ; instead the ACL fields relate to what IP/Port should be permitted or denied for the Local and Remote subnets.

access-list VPN-FILTER permit <remote-IP> [remote-Port] <local-IP> [local-Port]

It is also worth mentioning like most ACLs there is an implicit deny rule is applied by default.

Example 

Based on 2 VPN peers, Peer A and Peer B. Peer A has a local endpoint of 172.16.10.0/24 and Peer B has a local endpoint of 172.16.20.0/24.
If you wanted to permit access from Peer B`s endpoint to Peer A`s endpoint on port 80 the following ACL entry would be configured,

access-list VPN-FILTER permit tcp 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0 80

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial