same-security-traffic intra-interface and ACLs

cbadeau · ‎12-20-2007

I have an ASA 5520 running v7.2 with a RA VPN without split tunneling. I have enabled same-security-traffic intra-interface and appropriate NATing to get VPN clients to the web. This works. However, I noticed the VPN client web traffic isn't hitting my outside interface outbound ACLs. How do I get my outbound VPN client traffic to hit these ACLs? Thanks-

acomiskey · ‎12-20-2007

So you have something like this?

access-list outbound out interface outside

cbadeau · ‎12-20-2007

almost:

access-group outbound out interface outside

with

access-list outbound extended deny tcp any host x.x.x.x www

inside can't www to x.x.x.x, but vpn clients can.

acomiskey · ‎12-20-2007

I would assume this is because of...

sysopt connection permit-vpn

This makes the traffic bypass the interface acl's. You could disable this with "no sysopt connection permit-vpn", but this would apply to all ipsec vpn traffic.

Another option is to use a vpn-filter assigned to the vpn tunnel group policy.

cbadeau · ‎12-20-2007

Hmmm. There's no sysopt in the config. So I am correct that the expected behavior from my config sould be for the www vpn client traffic to hit oubound acls?

Any other ideas?

Thanks

acomiskey · ‎12-20-2007

Try..

show run sysopt

cbadeau · ‎12-21-2007

Bingo. So a little digging shows 'sysopt connection permit-vpn' is enabled by default post 7.0. This would explain why I don't see it explicitly in the config. Thanks!