ASA rule to not bypas ACL's over VPN

Unanswered Question
Apr 28th, 2009
User Badges:


I have a new ASA and have connected a VPN, it seems to not care about any ACL's I put on then I remember there is a command I can add so VPN's use ACL's, what is this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Tue, 04/28/2009 - 13:50
User Badges:
  • Silver, 250 points or more

Are you referring to not having to add VPN related protocols to an ingress ACL applied to the outside interface? If so, you are more than likely referring to the "sysopt connection permit-vpn".

Right, that is the normal configuration. In 8.x and maybe 7.x there is a command 'vpn-filter' which can be set per group-policy and reference an ACL. That ACL will be imposed on inbound traffic and outbound traffic.

Alternately you have to disable the 'sysopt connection permit-ipsec' (or 'permit-vpn' for 8.x), and then create an ACL that you apply to your outside interface to allow IPSec traffic connections, but filter access to internal systems.

Using the vpn-filter command is MUCH easier though.

whiteford Fri, 05/01/2009 - 07:39
User Badges:

Thanks, "sysopt connection permit-vpn" was the one I used.


This Discussion