Cisco ASA - How do VPN Filters work ?


Within this article we will look into how VPN filters work and also how to configure them on a Cisco ASA firewall.

As the name suggests VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

Note : When the command 'sysopt connection permit-ipsec' is applied, all traffic that transverses the ASA via a VPN bypasses any interface access-lists (versions lower 7.1 use 'sysopt connection permit-ipsec').


VPN filters are configured by defining an ACL, assigning the ACL to a group-policy and then assigning the group-policy to your tunnel-group.

access-list VPN-FILTER permit ip
group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group type ipsec-l2l
tunnel-group general-attributes
 default-group-policy SITEA

How do they work ?

The interesting part (and typically the most confusing) is how the ACL is defined.
When an ACL is applied to an interface, we define when it should permit (or deny) traffic that is either going in or out of the interface.

However with a VPN filter the ACL,(which is stateful) it is applied to traffic, both bi-bidirectionally and to all interfaces. Because of this the definition of the source and destination fields within the ACL do not apply ; instead the ACL fields relate to what IP/Port should be permitted or denied for the Local and Remote subnets.

access-list VPN-FILTER permit <remote-IP> [remote-Port] <local-IP> [local-Port]

It is also worth mentioning like most ACLs there is an implicit deny rule is applied by default.


Based on 2 VPN peers, Peer A and Peer B. Peer A has a local endpoint of and Peer B has a local endpoint of
If you wanted to permit access from Peer B`s endpoint to Peer A`s endpoint on port 80 the following ACL entry would be configured,

access-list VPN-FILTER permit tcp 80

Tags: ASA, VPN

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001