ASA5520 v7.2 - How disable VPN traffic?

Unanswered Question
Jun 15th, 2007
User Badges:

Hi to all,

I have an ASA5520 with v7.2. I have read in the command reference that, by default, the security appliance allows VPN traffic to terminate on a security appliance interface. And here is my question:

How can I disable that to filter the VPN traffic with my own access-list?

Regards, Fernando.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
networkingib Tue, 06/19/2007 - 02:00
User Badges:

Hi Shadi,

Thanks for your answer but it is not correct. If you go to "Usage Guidelines" of "sysopt connection permit-vpn" you can read:

"You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. IMPORTANT!!! --> The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."

So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.

Regards, Fernando.

shomar Tue, 06/19/2007 - 03:07
User Badges:

Hi Fernando,

This means that would like to filter VPN negotiations using an access-list?

If that is the situation you will not be able to do that as far as I know, you only can either receive all the negotiation requests or disable listening to IPSec negotiations on the specific interface.



networkingib Tue, 06/19/2007 - 03:18
User Badges:

Hi Shadi,

Yes, it is and if you are in the right it is a bad news for me.

Anyway thanks for your interest.

Regards, Fernando.

acomiskey Wed, 06/20/2007 - 07:01
User Badges:
  • Green, 3000 points or more


You are wrong here. Shadi was right originally. All that IMPORTANT is telling you is if you are going to write access in your interface acl's, you use the pool address, not the clients public ip. But you will also have to allow isakamp, esp, nat-t etc. in your outside acl from the public ip of the client.

So, to disable vpn connections you can do "no sysopt conn permit-vpn" and allow specific access in your acls.

networkingib Wed, 06/20/2007 - 10:49
User Badges:

Hi acomiskey,

Obviously before answer to Shadi I tried his suggestion and I confirm that it works how I said.

Even more I have disabled ?sysopt permit connection-vpn? (using "no sysopt conn permit-vpn") and then have used the next access-list in the outside interface

access-list outside_in deny ip any any

access-list outside_in deny esp any any

access-list outside_in deny ahp any any

And the device (the ASA) still allows a vpn client to connect.

If you have some time try it, confirm by yourself and get surprised.

Regards, Fernando.

acomiskey Wed, 06/20/2007 - 11:00
User Badges:
  • Green, 3000 points or more

Fernando, I have tried this myself and have gotten much different results. I have to specifically allow iskmp, esp, nat-t etc. for me to connect a vpn tunnel. I guess we're both right.

And for the record, it appeared you were basing your suggestion upon the documentation quoted above.

acomiskey Wed, 06/20/2007 - 11:32
User Badges:
  • Green, 3000 points or more

Just tried it again and it allowed me to connect. I know at one point in time I had to allow the ports on another ASA. A bug maybe? Anyway, sorry for the confusion.

networkingib Wed, 06/20/2007 - 23:49
User Badges:

Hi acomiskey,

Thanks for your interest.

I don't know if it is a bug in v7.2 or not, I thought so, but then I read the "Command Reference" I came to the conclusion that it was the normal use of "no sysopt conn permit-vpn" and by that I am looking for another way to do it.

Kind Regards, Fernando.


This Discussion