fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Cisco ASA - How do VPN Filters work ?

Introduction

Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall.

As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

Note : When the command 'sysopt connection permit-ipsec' is applied, all traffic that transverses the ASA via a VPN bypasses any interface access-lists (versions lower 7.1 use 'sysopt connection permit-ipsec').

Syntax

VPN filters are configured by defining an ACL, assigning the ACL to a group-policy and then assigning the group-policy to your tunnel-group.

access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITEA

How do they work ?

The interesting part (and typically the most confusing) is how the ACL is defined.
When an ACL is applied to an interface, we define when it should permit (or deny) traffic that is either going in or out of the interface.

However with a VPN filter the ACL,(which is stateful) it is applied to traffic, both bi-bidirectionally and to all interfaces. Because of this the definition of the source and destination fields within the ACL do not apply ; instead the ACL fields relate to what IP/Port should be permitted or denied for the Local and Remote subnets.

access-list VPN-FILTER permit <remote-IP> [remote-Port] <local-IP> [local-Port]

It is also worth mentioning like most ACLs there is an implicit deny rule is applied by default.

Example 

Based on 2 VPN peers, Peer A and Peer B. Peer A has a local endpoint of 172.16.10.0/24 and Peer B has a local endpoint of 172.16.20.0/24.
If you wanted to permit access from Peer B`s endpoint to Peer A`s endpoint on port 80 the following ACL entry would be configured,

access-list VPN-FILTER permit tcp 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0 80

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001