Cisco ASA vpn-filter

What are VPN filters?

VPN Filters consist of rules that determine whether to allow or reject tunnelled data packets that come through the ASA, based on criteria such as source address, destination address, and protocol. You can configure ACLs in order to permit or deny various types of traffic.

Why do we need VPN filters?

In a typical scenario, you will have multiple L2L VPNs terminating on the ASA. Some of them you don't trust fully, you can filter traffic traversing via these tunnels using two methods.

  1. Using ACLs - You can apply inbound ACLs on the outside interface to filter incoming traffic and apply outbound ACLs on the inside interface to filter outgoing traffic.
  2. Using VPN filters - You can use a special kind of ACL applied to the tunnel instead of interfaces. VPN filter is even more useful when you have sysopt connection configured on the ASA.

The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy access lists still apply to the traffic.

A vpn-filter is applied to post-decrypted traffic after it exits a tunnel and to pre-encrypted traffic before it enters a tunnel.

💡
When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL. I know it's weird. 

When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL. I know it's weird.

This blog post assumes that you have a basic understanding of site-to-site VPNs. If you are not familiar, please check out my other post here.

Cisco ASA Site-to-Site VPN Example (IKEv1 and IKEv2)
What if I tell you that configuring site to site VPN on the Cisco ASA only requires around 15 lines of configuration.

Example

Let's assume that we have a site-to-site VPN between our ASA and a supplier Firewall. With the vpn-filter, what we can do is, restrict the traffic traversing the VPN tunnel.

diagram

Traffic restrictions

  1. Our local subnet (10.10.10.0/24 ) can only access 10.10.20.200 on port 443
  2. Supplier subnet (10.10.20.0/24)  can only access 10.10.10.101 on port 22.
  3. Deny everything else.

Create objects and NAT

object-group network LOCAL
 network-object 10.10.10.0 255.255.255.0

object-group network SUPPLIER
 network-object 10.10.20.0 255.255.255.0


nat (inside,outside) 1 source static LOCAL LOCAL destination static SUPPLIER SUPPLIER no-proxy-arp route-lookup

If you need to learn more about Cisco ASA NAT, please check out my post here

Cisco ASA NAT Example
In this blog post, we will go through the Cisco ASA NAT configuration examples. We will mainly be focusing on four scenarios that are Dynamic PAT

Define interesting traffic

Define the interesting traffic which will trigger the creation of the VPN tunnel.

access-list VPN-TO-SUPPLIER extended permit ip object LOCAL object SUPPLIER

Create tunnel-group and crypto map entry

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
  ikev1 pre-shared-key 12345678


crypto map VPN 10 match address VPN-TO-SUPPLIER
crypto map VPN 10 set pfs group2
crypto map VPN 10 set peer  2.2.2.2 
crypto map VPN 10 set ikev1 transform-set AES-SHA
crypto map VPN 10 set security-association lifetime seconds 3600

Configure group policy and vpn-filter

access-list VPN-FILTER extended permit tcp host 10.10.20.200 eq 443 object LOCAL
access-list VPN-FILTER extended permit tcp object SUPPLIER host 10.10.10.101 eq 22
access-list VPN-FILTER extended deny ip any any

group-policy 2.2.2.2 internal
group-policy 2.2.2.2 attributes
 vpn-filter value VPN-FILTER

tunnel-group 2.2.2.2 general-attributes
 default-group-policy 2.2.2.2

Important things to consider.

  1. All interesting traffic will trigger the tunnel, whether it is allowed or not on the vpn-filter
  2. if you deny something by changing vpn-filter ACL while a tunnel is up - it is in effect immediately
  3. if you permit something by changing vpn-filter ACL while a tunnel is up - you MUST rebuild the tunnel

Reference

Cisco ASA vpn-filter as I see it
I must admit, it took me some time to become familiar with ASAs “vpn-filter” functionality. Sometimes I have a feeling that guys from Cisco make thing weird on purpose. This feature cou…
VPN Filters on Cisco ASA Configuration Example
This document describes?VPN filters in detail and applies to LAN-to-LAN (L2L), the Cisco VPN Client, and the Cisco AnyConnect Secure Mobility Client.