Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2455
Views
20
Helpful
9
Replies

sysopt command

rajbhatt
Level 3
Level 3

‎08-24-2007 01:46 AM

Hi ,

the command sysopt connection permit-ipsec ?

when I enable that command the vpn conenctions will be allowed inbound from the tunnel without checking the outside interface access list .

Suppose the vpn traffic is coming to dmz interface . DO I need to allow the traffic on the dmz interface ACl for the inbound traffic and outbound traffic or it works only with the crypto and nat 0 ACL

Raj

1 person had this problem
Labels:
0 Helpful
9 Replies 9

miclulich
Level 1
Level 1

‎08-24-2007 02:36 AM

The command, "sysopt connection permit-ipsec" only by-passes the ACL on the ingress interface (Usually Outside).

Please see the definition and usage guidelines here...

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1541923

sysopt connection permit-ipsec

For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

Usage Guidelines

You might want to bypass interface access lists for decrypted traffic to simplify configuration and to maximize the security appliance performance. If you disable this feature, you must apply an access list to the ingress interface that permits decrypted IPSec packets from all IPSec peers (see the the access-list and access-group commands).

rajbhatt
Level 3
Level 3
In response to miclulich

‎08-24-2007 02:40 AM

Hi,

For ingress traffic the vpn terminates on the outside interafce .

But the servers to be accessed are located in the dmz interface.

so we have to give access list on the dmz if I use the sysopt command as well

raj

0 Helpful

miclulich
Level 1
Level 1
In response to rajbhatt

‎08-24-2007 10:11 PM

That is correct.

0 Helpful

anshubathla
Level 1
Level 1

‎10-26-2012 10:02 AM

Hi

I have one question here

For example my firewall have two interface inside and outside.

.If sysopt is enable :it bypasses the acl on outside interface.

.Do we require access-list to allow the traffic on inside interface (coming from inside host tends for vpn) besides crypto acl?

Thank you

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to anshubathla

‎10-26-2012 10:14 AM

Hi,

The "sysopt connection permit vpn" command does take effect on any interface where a crypto map is applied or SSL VPN is enabled.

This command is to bypass the ACL but not the NAT rule, so you still need a NAT from DMZ to Outside to allow the traffic flow from a lower to a higher security level interface, if NAT-CONTROL is enabled.

To allow the return traffic for instance, from DMZ to Outside, you need to make sure that any ACL applied to the DMZ interface allows the traffic in question.

HTH.

Portu.

Please rate any helpful posts

anshubathla
Level 1
Level 1
In response to Javier Portuguez

‎10-27-2012 12:10 AM

Many thanks Jportugu,

So I can conclude that,

IF sysopt is enabled :

We always require acl on interface say from dmz to outside which must be subset of crypto acl.(whether traffic is return traffic or any host on dmz is initiating the traffic )

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to anshubathla

‎10-27-2012 07:45 AM

Yes, you are correct.

The access-list is not always required, since remember that we are coming from a higher security level to a lower.

For instance:

interface f0/0

     nameif dmz

     security-level 50

     ip add 192.168.1.0 255.255.255.0

!

interface f0/1

     nameif outside

     security-level 0

     ip add 1.1.1.1 255.255.255.248

!

access-list crypto_map_10 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 1.1.1.2

Scenario 1:

If there is no ACL, then no need to add one to allow traffic from dmz to outside. However nat-control is enabled, so we need to add:

access-list nonat_dmz permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Scenario 2:

There is an access-list applied to the dmz interface as follows:

access-list dmz_in permit ip 192.168.1.0 255.255.255.0 host 74.125.134.104

access-group dmz_in in interface dmz

So, since there is an implicit "deny ip any any" we must add:

access-list dmz_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.0

And if nat-control is enabled or any other NAT rule may affect this traffic then:

access-list nonat_dmz permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Conclusions:

"sysopt connection permit vpn" bypasses outside ACL.

An ACL is not always required as long as you are coming from higher to lower (dmz to outside, for instance).

NAT exempt is required as long as nat-control is enabled or in case if there is any other NAT rule that may affect.

Hope to help.

Portu

Please rate any helpful posts

Javier Portuguez
Level 9
Level 9

‎10-27-2012 07:46 AM

Hi,

Please mark this question as answered if you do not have any further questions, do not forget to rate any helpful posts

Thanks.

0 Helpful

anshubathla
Level 1
Level 1
In response to Javier Portuguez

‎10-27-2012 11:39 PM

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents