Cisco ASA VPN Filter

ReneMolenaar · June 11, 2019, 11:09am

This topic is to discuss the following lesson:

pradyumnayadavgla · May 20, 2020, 4:28pm

Hi Laz,

Query related to Cisco ASA Remote Access VPN ::

My query is that What traffic is showing by in id=0x7f11b99ce080 ( Source and Destination) and out id=0x7f11b99c34d0 in the output of show asp table filter according do ASA, I am little bit confused which traffic is being inbound filtered and which one outbound filtered ?

lagapidis · May 22, 2020, 7:19am

Hello Pradyumna

First of all, when you post your question, please post it in the forum topic associated with the lesson that you are asking about. This way it is easier for us to understand the context of your question, and it eliminates the need to move your post to the appropriate forum topic… Thanks!

Now as for your question, you can see in the output that the in indicator shows source traffic from anywhere (0.0.0.0) to R1 (192.168.1.1). So this is for traffic from the VPN remote user towards the internal network. So this is the inbound filter. The out indicator shows the opposite, or the outbound traffic filter.

Now there are two additional in and out filters, and these are the implicit deny filters. One is for IPv4 and the other is for IPv6. These exist by default. You can differentiate between those and the one that was created by the filter ID which in this case is the name of the access list: RESTRICT_VPN.

I hope this has been helpful!

Laz

cemil.heyderov · November 13, 2020, 7:38pm

Hi. i configure Cisco ASA remote vpn. i have 2 vpn users–vpnuser1 and vpnuser2.
on local network i have 2 host(host1 192.168.1.1 host2 192.168.1.2). i want to add vpn filter which will be deny icmp to host2 from vpnuser1. i know on this site there is course (Cisco ASA VPN Filter) which demonstrite this config.but what i want this is not there

lagapidis · November 16, 2020, 9:10am

Hello Cemil

Yes, you are correct that there is a lesson about the Cisco ASA VPN Filter:

Now in the above lesson, you will find that you are able to apply access lists to specific users. So you can create an extended access list that will deny ICMP packets to the IP address of host2. You can then apply the access list as a VPN filter on the specific username. This should give you the result you require.

Try it out and let us know how you get along.

I hope this has been helpful!

Laz