cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
479
Views
0
Helpful
6
Replies

same-security-traffic intra-interface and ACLs

cbadeau
Level 1
Level 1

I have an ASA 5520 running v7.2 with a RA VPN without split tunneling. I have enabled same-security-traffic intra-interface and appropriate NATing to get VPN clients to the web. This works. However, I noticed the VPN client web traffic isn't hitting my outside interface outbound ACLs. How do I get my outbound VPN client traffic to hit these ACLs? Thanks-

6 Replies 6

acomiskey
Level 10
Level 10

So you have something like this?

access-list outbound out interface outside

almost:

access-group outbound out interface outside

with

access-list outbound extended deny tcp any host x.x.x.x www

inside can't www to x.x.x.x, but vpn clients can.

I would assume this is because of...

sysopt connection permit-vpn

This makes the traffic bypass the interface acl's. You could disable this with "no sysopt connection permit-vpn", but this would apply to all ipsec vpn traffic.

Another option is to use a vpn-filter assigned to the vpn tunnel group policy.

Hmmm. There's no sysopt in the config. So I am correct that the expected behavior from my config sould be for the www vpn client traffic to hit oubound acls?

Any other ideas?

Thanks

Try..

show run sysopt

Bingo. So a little digging shows 'sysopt connection permit-vpn' is enabled by default post 7.0. This would explain why I don't see it explicitly in the config. Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: