67-45
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
A vpn-filter command is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic
before it enters a tunnel. An ACL that is used for a vpn-filter should NOT also be used for an interface
access-group. When a vpn-filter command is applied to a group policy that governs Remote Access VPN
client connections, the ACL should be configured with the client assigned IP addresses in the src_ip
position of the ACL and the local network in the dest_ip position of the ACL.
When a vpn-filter command is applied to a group-policy that governs a LAN to LAN VPN connection,
the ACL should be configured with the remote network in the src_ip position of the ACL and the local
network in the dest_ip position of the ACL.
Caution should be used when constructing the ACLs for use with the vpn-filter feature. The ACLs are
constructed with the post-decrypted traffic in mind. However, ACLs are also applied to the traffic in the
opposite direction. For this pre-encrypted traffic that is destined for the tunnel, the ACLs are constructed
with the src_ip and dest_ip positions swapped.
In the following example, the vpn-filter is used with a Remote Access VPN client.
This example assumes that the client assigned IP address is 10.10.10.1/24 and the local network is
192.168.1.0/24.
The following ACE will allow the Remote Access VPN client to telnet to the local network:
hostname(config-group-policy)# access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255
192.168.1.0 255.255.255.0 eq 23
The following ACE will allow the local network to telnet to the Remote Access client:
hostname(config-group-policy)# access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq
23 192.168.1.0 255.255.255.0
Note Note: The ACE access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq
23 will allow the local network to initiate a connection to the Remote Access client on any TCP port if
it uses a source port of 23. The ACE access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq 23
192.168.1.0 255.255.255.0 will allow the Remote Access client to initiate a connection to the local
network on any TCP port if it uses a source port of 23.
In the next example, the vpn-filter is used with a LAN to LAN VPN connection. This example assumes
that the remote network is 10.0.0.0/24 and the local network is 192.168.1.0/24.
The following ACE will allow remote network to telnet to the local network:
hostname(config-group-policy)# access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0
192.168.1.0 255.255.255.0 eq 23
The following ACE will allow the local network to telnet to the remote network:
hostname(config-group-policy)# access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23
192.168.1.0 255.255.255.0
Note Note: The ACE access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23
will allow the local network to initiate a connection to the remote network on any TCP port if it uses a
source port of 23. The ACE access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 192.168.1.0
255.255.255.0 will allow the remote network to initiate a connection to the local network on any TCP
port if it uses a source port of 23.
Step8 Specify the VPN tunnel type for this group policy.
vpn-tunnel-protocol {ikev1 | ikev2 | l2tp-ipsec | ssl-client | ssl-clientless}