12-20-2007 10:25 AM - edited 03-09-2019 07:41 PM
I have an ASA 5520 running v7.2 with a RA VPN without split tunneling. I have enabled same-security-traffic intra-interface and appropriate NATing to get VPN clients to the web. This works. However, I noticed the VPN client web traffic isn't hitting my outside interface outbound ACLs. How do I get my outbound VPN client traffic to hit these ACLs? Thanks-
12-20-2007 10:52 AM
So you have something like this?
access-list outbound out interface outside
12-20-2007 11:24 AM
almost:
access-group outbound out interface outside
with
access-list outbound extended deny tcp any host x.x.x.x www
inside can't www to x.x.x.x, but vpn clients can.
12-20-2007 11:48 AM
I would assume this is because of...
sysopt connection permit-vpn
This makes the traffic bypass the interface acl's. You could disable this with "no sysopt connection permit-vpn", but this would apply to all ipsec vpn traffic.
Another option is to use a vpn-filter assigned to the vpn tunnel group policy.
12-20-2007 12:40 PM
Hmmm. There's no sysopt in the config. So I am correct that the expected behavior from my config sould be for the www vpn client traffic to hit oubound acls?
Any other ideas?
Thanks
12-20-2007 12:56 PM
Try..
show run sysopt
12-21-2007 05:49 AM
Bingo. So a little digging shows 'sysopt connection permit-vpn' is enabled by default post 7.0. This would explain why I don't see it explicitly in the config. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide