12-20-2007 10:25 AM - edited 03-09-2019 07:41 PM
I have an ASA 5520 running v7.2 with a RA VPN without split tunneling. I have enabled same-security-traffic intra-interface and appropriate NATing to get VPN clients to the web. This works. However, I noticed the VPN client web traffic isn't hitting my outside interface outbound ACLs. How do I get my outbound VPN client traffic to hit these ACLs? Thanks-
12-20-2007 10:52 AM
So you have something like this?
access-list outbound out interface outside
12-20-2007 11:24 AM
almost:
access-group outbound out interface outside
with
access-list outbound extended deny tcp any host x.x.x.x www
inside can't www to x.x.x.x, but vpn clients can.
12-20-2007 11:48 AM
I would assume this is because of...
sysopt connection permit-vpn
This makes the traffic bypass the interface acl's. You could disable this with "no sysopt connection permit-vpn", but this would apply to all ipsec vpn traffic.
Another option is to use a vpn-filter assigned to the vpn tunnel group policy.
12-20-2007 12:40 PM
Hmmm. There's no sysopt in the config. So I am correct that the expected behavior from my config sould be for the www vpn client traffic to hit oubound acls?
Any other ideas?
Thanks
12-20-2007 12:56 PM
Try..
show run sysopt
12-21-2007 05:49 AM
Bingo. So a little digging shows 'sysopt connection permit-vpn' is enabled by default post 7.0. This would explain why I don't see it explicitly in the config. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: