same-security-traffic intra-interface and ACLs

Unanswered Question

I have an ASA 5520 running v7.2 with a RA VPN without split tunneling. I have enabled same-security-traffic intra-interface and appropriate NATing to get VPN clients to the web. This works. However, I noticed the VPN client web traffic isn't hitting my outside interface outbound ACLs. How do I get my outbound VPN client traffic to hit these ACLs? Thanks-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 12/20/2007 - 10:52
User Badges:
  • Green, 3000 points or more

So you have something like this?

access-list outbound out interface outside

acomiskey Thu, 12/20/2007 - 11:48
User Badges:
  • Green, 3000 points or more

I would assume this is because of...

sysopt connection permit-vpn

This makes the traffic bypass the interface acl's. You could disable this with "no sysopt connection permit-vpn", but this would apply to all ipsec vpn traffic.

Another option is to use a vpn-filter assigned to the vpn tunnel group policy.

acomiskey Thu, 12/20/2007 - 12:56
User Badges:
  • Green, 3000 points or more


show run sysopt


This Discussion