1-48
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Group Policies
Note The ipv6-vpn-filter command was deprecated starting with ASA 9.0. The 'vpn-filter' CLI
should be used to configure unified filter with both IPv4 and IPv6 entries. This IPv6 filter
will only be used if there are no IPv6 entries in the access-list specified by 'vpn-filter'
Note You can also configure this attribute in username mode, in which case the value configured
under username supersedes the group-policy value.
hostname(config-group-policy)# vpn-filter {value ACL name | none}
hostname(config-group-policy)#
You configure ACLs to permit or deny various types of traffic for this group policy. You then enter
the vpn-filter command to apply those ACLs.
To remove the ACL, including a null value created by entering the vpn-filter none command, enter
the no form of this command. The no option allows inheritance of a value from another group policy.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter
the none keyword instead of specifying an ACL name. The none keyword indicates that there is no
access list and sets a null value, thereby disallowing an access list.
The following example shows how to set a filter that invokes an access list named acl_vpn for the
group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-filter acl_vpn
hostname(config-group-policy)#
A vpn-filter command is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic
before it enters a tunnel. An ACL that is used for a vpn-filter should NOT also be used for an interface
access-group. When a vpn-filter command is applied to a group policy that governs Remote Access VPN
client connections, the ACL should be configured with the client assigned IP addresses in the src_ip
position of the ACL and the local network in the dest_ip position of the ACL.
When a vpn-filter command is applied to a group-policy that governs a LAN to LAN VPN connection,
the ACL should be configured with the remote network in the src_ip position of the ACL and the local
network in the dest_ip position of the ACL.
Caution should be used when constructing the ACLs for use with the vpn-filter feature. The ACLs are
constructed with the post-decrypted traffic in mind. However, ACLs are also applied to the traffic in the
opposite direction. For this pre-encrypted traffic that is destined for the tunnel, the ACLs are constructed
with the src_ip and dest_ip positions swapped.
In the following example, the vpn-filter is used with a Remote Access VPN client.
This example assumes that the client assigned IP address is 10.10.10.1/24 and the local network is
192.168.1.0/24.
The following ACE will allow the Remote Access VPN client to telnet to the local network:
hostname(config-group-policy)# access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255
192.168.1.0 255.255.255.0 eq 23
The following ACE will allow the local network to telnet to the Remote Access client:
hostname(config-group-policy)# access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq
23 192.168.1.0 255.255.255.0
To Next Page
Loading...
Need help?
General
