How does a vpn-filter (VPN filter ACL/VPN filter access list ) works and how it is different from a standard ACL.
The way the ASA is processing and applying the standard ACL is different from how vpn filter ACL (vpn-filter ACL) work.
Normally when defining the VPN filter ACL rules you will specify them in this format:
access-list <acl-no> <permit/deny> ip <remote network> <local network>
- local network are the FW local segments or segments we want a VPN client to have access to
- remote network is the network the VPN traffic (or the VPN user traffic) is coming from
Below are some extracts from available documentation I found:
Description from various documentation links:
- PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access
- Configuring Tunnel Groups, Group Policies, and Users from Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
When a vpn-filter command is applied to a group-policy that governs a LAN to LAN VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.
- vpn-filter from Cisco ASA 5500 Series Command Reference, 8.2
In the L2L VPN Filter ACLs you ALWAYS define the source address as the "remote network". This creates every now and then confusion on how the rules should actually look like. I also potentially allows more traffic than you want as the single ACL rule is bidirectional.
Well firstly the group-policy and hence the vpn-filters will take effect only after tunnel comes up. So you would not be able to restrict what traffic brings up the tunnel using vpn-filters.
Conclusion and things to remember
- The vpn-filters work on top of crypto domain; you need to first define an interesting traffic to bring tunell up in crypto domain and later it can be more filtered by the VPN filters
- Single VPN filter ACL is stateful (once a rule allows the traffic through the return traffic will be allowed as well)
- But for every single VPN filter ACL the ASA engine will create another implicit ACL rule; the 2th rule will permit the other peer to initiate traffic and sent it over VPN tunnel
- You define the vpn-filter rule from the remote FW perspective; on our FW the vpn filter inspect the ingress traffic; once the decrypted packet enters FW and is encrypted the src and destination and ports are checked by our filter
- VPN filters are not checking egress VPN traffic (how to inspect an encrypted traffic any way)
- The FW incoming traffic on its local networks is controlled by the implicit VPN filter rules
- In another words the vpn filter control explicitly packets AFTER they are decrypted by the FW and the implicit FW rules control the traffic BEFORE it enters the tunnel; even if you want to filter only the traffic BEFORE it enters the VPN you need to specify the explicit AFTER VPN filter instead
- The vpn filter control the in and out VPN traffic in the same time; you can't have 2 VPN filters configured
- Changes to the VPN filter using DENY statements take affect immediately
- Changes to the VPN filter using the PERMIT statements requires the tunnel to be restarted