Cisco ASA - How do VPN Filters work ?
Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall.
As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.
Note : When the command 'sysopt connection permit-ipsec' is applied, all traffic that transverses the ASA via a VPN bypasses any interface access-lists (versions lower 7.1 use 'sysopt connection permit-ipsec').
VPN filters are configured by defining an ACL, assigning the ACL to a group-policy and then assigning the group-policy to your tunnel-group.
access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
group-policy SITEA internal
group-policy SITEA attributes
vpn-filter value VPN-FILTER
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 general-attributes
How do they work ?
The interesting part (and typically the most confusing) is how the ACL is defined.
When an ACL is applied to an interface, we define when it should permit (or deny) traffic that is either going in or out of the interface.
However with a VPN filter the ACL,(which is stateful) it is applied to traffic, both bi-bidirectionally and to all interfaces. Because of this the definition of the source and destination fields within the ACL do not apply ; instead the ACL fields relate to what IP/Port should be permitted or denied for the Local and Remote subnets.
access-list VPN-FILTER permit <remote-IP> [remote-Port] <local-IP> [local-Port]
It is also worth mentioning like most ACLs there is an implicit deny rule is applied by default.
Based on 2 VPN peers, Peer A and Peer B. Peer A has a local endpoint of 172.16.10.0/24 and Peer B has a local endpoint of 172.16.20.0/24.
If you wanted to permit access from Peer B`s endpoint to Peer A`s endpoint on port 80 the following ACL entry would be configured,
access-list VPN-FILTER permit tcp 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0 80