IPSec VPN and ACL Issue

Unanswered Question
Jun 1st, 2009


I am using Cisco ASA 5510 as my organizations firewall which we have purchased days ago. I have created a IPSec Remote Access VPN with it. My Branch office is located in another city which i need to connect it through VPN.

I have configured my IPSec VPN on ASA with all policies which i need and at client end installed Cisco VPN Client SW. Now i can connect to my VPN Server (ASA) from my branch office. I am also getting an IP address from the POOL which i have allocated during setup of VPN.

Public IP configure on my ASA(outside)

Inside IP

My Local network is running on 10.10.x.x

VPN Client Pool is

I want to apply ACL on my VPN Traffic which i need to be restricted in a sense that i dont want my VPN users to access any resource on my headoffice except 2 web application and 1 SW application.

Initially, i can ping from head office to branch office and vice versa after VPN is connected with no ACL's configured.

Now my question is that in what way i need to apply ACL between my outside and inside users as i tried to apply ACL but still all my resources are available to users.

access-list 101 deny tcp eq http

access-group 101 in interface outside.

this is the ACL which i have applied on my outside interface but still after that i can access from my branch office.

can anyone help me out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Sysopt-connection permit ipsec is probably configured (by default, I think), which allows IPsec traffic to bypass the ACL. You could either remove that command, not necessarily recommended, or if you are doing nat 0 for the VPN traffic, just change the ACL for that to only bypass nat for the addresses you want to allow users to access.

Remember, if you remove "sysopt connection permit ipsec", you'll have to specifically allow access to any service you want VPN users to access.

Also, based on the ACL 101 you posted, users will not be able to access anything; you don't have any permit statements.

You should probably also edit your post and remove your public IP address.



This Discussion