Cisco Cisco ASA 5545-X Adaptive Security Appliance Technical Manual

live, make sure that you understand the potential impact of any command.

The sysopt connection permit-vpn command allows all the traffic that enters the security
appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user
authorization access lists still apply to the traffic.

A vpn-filter is applied to postdecrypted traffic after it exits a tunnel and to preencrypted traffic
before it enters a tunnel. An ACL that isused for a vpn-filter should NOT also be used for an
interface access-group.

When a vpn-filter is applied to a group-policy that governs Remote Access VPN client
connections, the ACL should be configured with the client assigned IP addresses in the src_ip
position of the ACL and the local network in the dest_ip position of the ACL. When a vpn-filter is
applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with
the remote network in the src_ip position of the ACL and the local network in the dest_ip position
of the ACL.

VPN filters must be configured in inbound direction although rules are still applied bidirectionally.
Enhancement 

 has been opened to support unidirectional rules, but it has not yet

been scheduled/committed for implementation.

Assume that the client-assigned IP address is 10.10.10.1/24 and the local network is
192.168.1.0/24.

This Access Control Entry (ACE) allows the AnyConnect client to Telnet to the local network:

Note: The ACE access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 192.168.1.0