Remote access vpn issue in ASA Firewall.

Unanswered Question
Feb 13th, 2010

Hi all,

I have terminated Remote access VPN in ASA 5510  version 8.2 firewall outside interface and I have kept all the servers in outside interface only.

I have binded ACL to restrict some servers, after binded the ACLin outside its not taking effect. Now after connected to the VP N all the users can access the servers.

I have enabled same security interface intra interface in firewall.

Pls help me..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 02/13/2010 - 08:06


If you have ACLs restricting VPN traffic is not going to work by default because all VPN traffic is permitted regardless the ACLs.

There's a command on the ASA that is:  sysopt connection permit-vpn

This commands tells the ASA to bypass the outside ACL when the traffic received is VPN.

So, to restrict VPN traffic you should remove this command and specify in the ACLs the traffic that you want to permit.

Hope this helps.


jayaramakrishnan Sat, 02/13/2010 - 21:05


I have removed this command in firewall, but still after connected to the VPN i am able to access all the VPN.

one more thing: i have terminated the VPN in outside and binded the ACL in outside interface.

ASA(config)#no sysopt connection permit-vpn



Federico Coto F... Sun, 02/14/2010 - 09:18

Have you tried applied the ACL in the outbound direction on the outside interface?

In this way, the VPN traffic will terminate on the ASA, will be decrypted, and then will be routed out the same interface with the same security intra-interface command, but before the traffic is sent out should be checked by the ACL (if applied outbound on the outside interface).


jayaramakrishnan Sun, 02/14/2010 - 22:46

Yes federico, tried that option too.

Access-list outisde extended deny any is my pool range.

I have binded the above acl in the firewal, but no luck.

One doupt is there any thing we need to bind this acl in VPN config.

Federico Coto F... Mon, 02/15/2010 - 11:24

Let me try it because I'm pretty sure that it works....

Now, if you have a router behind the ASA, you can send the VPN traffic to that router and back to the ASA (so it will be checked by the ACLs on the ASA).



This Discussion