sysopt connection permit-vpn

Answered Question
Jun 10th, 2010
User Badges:

Just need someone to verify this..

The command " sysopt connection permit-vpn" tells the ASA to allow the VPN traffic regardless of access-lists, correct?

and I can choose not to use this command and control the traffic on the outside access list?

Thanks in advance!

Correct Answer by Federico Coto F... about 7 years 1 month ago


What you're saying is correct.

However to restrict VPN traffic, I prefer to leave the sysopt and create vpn-filters.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Correct Answer
Federico Coto F... Thu, 06/10/2010 - 06:59
User Badges:
  • Green, 3000 points or more


What you're saying is correct.

However to restrict VPN traffic, I prefer to leave the sysopt and create vpn-filters.


networker99 Thu, 06/10/2010 - 07:06
User Badges:

okay thanks.. and is it correct that my outside access-lists used for the VPN traffic all retain a hit count of 0?

Federico Coto F... Thu, 06/10/2010 - 07:12
User Badges:
  • Green, 3000 points or more


The outside ACL will only check VPN traffic if you remove the sysopt command.

If you remove the sysopt command, the outside ACL will get the hitcounts incrementing for incoming traffic that matches the ACL (even if it's VPN).

However, I don't have an ASA handy to test it.


networker99 Thu, 06/10/2010 - 07:22
User Badges:

I am not using the Sysopt command, and I am not seeing hit counts, but it appears to be working.  Also with the filters, do they only allow traffic the way you write the ACL?, or do they just apply to inbound traffic from the remote side?

francisco_1 Thu, 06/10/2010 - 07:03
User Badges:
  • Gold, 750 points or more

yes that's correct.

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.


networker99 Thu, 06/10/2010 - 07:36
User Badges:

So if the traffic is allowed on 443, it also has to be allowed out on 443?, (not just the response?)

tsmarcyes Mon, 04/11/2011 - 08:13
User Badges:

Does this command ONLY bypass JUST the ACL on the interface or does it bypass service policies?  With this command enabled, would it also bypass the global service policy?

mile.ljepojevic Mon, 06/13/2011 - 14:20
User Badges:


I just want something cleared...

If I terminate VPN on the outside interface, it will bypass only OUTSIDE interface...

If I apply some access-group on the INSIDE interface OUT it will still block undesired traffic from VPN?

Jennifer Halim Mon, 06/13/2011 - 17:06
User Badges:
  • Cisco Employee,

Yes, you are absolutely correct.

Or alternatively, you can also configure "vpn-filter" to only allow specific traffic from remote VPN Client access.

athukral Wed, 06/15/2011 - 22:56
User Badges:
  • Silver, 250 points or more

Hello Lewis,

Please mark it as answered, if your querry is resolved. Appreciate  your time!

Please do rate the helpful discussion, as that helps us to serve you better!!


Ankur Thukral

Community  Manager- Security & VPN

Rafael Mendes Wed, 10/16/2013 - 13:03
User Badges:

Hello Guys,

One simple question.

When i disable the command "sysopt connection permit-vpn" the negociation traffic(acl exchange over the Firewalls) in phase two of vpn continue to be negotiated using the crypto map configuration?

The only difference is when i disable this command i need to allow this traffic in outside interface too, right?

Jouni Forss Wed, 10/16/2013 - 13:08
User Badges:
  • Super Bronze, 10000 points or more


The only thing disabling this default setting of "sysopt connection permit-vpn" does is that any traffic coming through a VPN connection doesnt get a free pass through the "outside" interface ACL. It doesnt have effect on the actual VPN negotiation.

- Jouni

ahmad82pkn Mon, 02/29/2016 - 19:58
User Badges:

Want to clarify a funny thing.

Due to some requirement, i had to configure Remote VPN on LAN Interface of Cisco ASA with in office.

so now when i connect VPN ( that is enabled on LAN interface High security Zone ), i was able to access my Low Seurity zone DMZ, Even if i had ACL on out direction on DMZ interface that was denying the traffic.

means my ACL has no effect, so when i disabled sysopt command then my ACL started blocking traffic and become in action. so its not about on which interface crypto is applied.

in my case even if crypto applied on LAN Side, and traffic wanted to go out to DMZ( Less secure ) Even then ACL was not triggering.

Its called real world functionality :D


This Discussion