Cisco ASA VPN Filters

ACL looks like this:

access-list VPN-FILTER permit {remote-IP} [remote-Port] {local-IP} [local-Port]

Examples:
LOCAL:                     REMOTE:
192.168.1.0/24 —————————- 10.0.0.0/24

LOCAL: 192.168.1.0/24
REMOTE: 10.0.0.0/24

1. Allow REMOTE network to the LOCAL side on port 80:

10.0.0.0/24 > 192.168.1.0/24 via 80

Source       Destination       Destination Port
10.0.0.10     192.168.1.10       80

access-list VPN-FILTER permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 80

2. Allows the LOCAL network to Telnet to the REMOTE network:

192.168.1.0/24 > 10.0.0.0/24 via 23

Source       Destination       Destination Port
192.168.1.10     10.0.0.10       23

access-list VPN-FILTER permit tcp 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0

3. Allows the REMOTE network to Telnet to the LOCAL network:

10.0.0.0/24 > 192.168.1.0/24 via 23

Source       Destination       Destination Port
10.0.0.10     192.168.1.10       23

access-list VPN-FILTER permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23

Verify:
show asp table filter [access-list ] [hits]

     SYNTAX Show installed filter for access-list
     hits Show filter rules which have non-zero hits values

clear asp table filter [access-list ]

     SYNTAX Clear hit counters only for specified access-list

More Stories
AWS & Azure VPN Tunnel Bandwidth Limitation for a Gateway