06-10-2010 06:52 AM
Just need someone to verify this..
The command " sysopt connection permit-vpn" tells the ASA to allow the VPN traffic regardless of access-lists, correct?
and I can choose not to use this command and control the traffic on the outside access list?
Thanks in advance!
Solved! Go to Solution.
06-10-2010 06:59 AM
Hi,
What you're saying is correct.
However to restrict VPN traffic, I prefer to leave the sysopt and create vpn-filters.
Federico.
06-10-2010 06:59 AM
Hi,
What you're saying is correct.
However to restrict VPN traffic, I prefer to leave the sysopt and create vpn-filters.
Federico.
06-10-2010 07:06 AM
okay thanks.. and is it correct that my outside access-lists used for the VPN traffic all retain a hit count of 0?
06-10-2010 07:12 AM
Hi,
The outside ACL will only check VPN traffic if you remove the sysopt command.
If you remove the sysopt command, the outside ACL will get the hitcounts incrementing for incoming traffic that matches the ACL (even if it's VPN).
However, I don't have an ASA handy to test it.
Federico.
06-10-2010 07:22 AM
I am not using the Sysopt command, and I am not seeing hit counts, but it appears to be working. Also with the filters, do they only allow traffic the way you write the ACL?, or do they just apply to inbound traffic from the remote side?
07-14-2020 12:11 PM
I know I am very late to the thread here, but does this option also bypass OUTGOING rules? I ask because I recently implemented some outgoing rules on our outside interface and it affected the traffic on the B2B VPN. When disabling the rule, the traffic on the B2B VPN returned to normal. Does the sysopt connection permit-vpn only apply to incoming rules?
Thank you.
06-10-2010 07:03 AM
yes that's correct.
For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.
Francisco
06-10-2010 07:29 AM
The vpn-filter has to be applied bidirectionally.
Take a look:
Federico.
06-10-2010 07:36 AM
So if the traffic is allowed on 443, it also has to be allowed out on 443?, (not just the response?)
06-10-2010 07:41 AM
Correct.
Federico.
04-11-2011 08:13 AM
Does this command ONLY bypass JUST the ACL on the interface or does it bypass service policies? With this command enabled, would it also bypass the global service policy?
04-11-2011 04:10 PM
It will just bypass the ACL applied on the interface where you terminate the VPN (typically your outside interface). Service policy will still be applied to the VPN traffic.
Here is the command reference on "sysopt connection permit-vpn":
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217
Hope that helps.
06-13-2011 02:20 PM
Hi,
I just want something cleared...
If I terminate VPN on the outside interface, it will bypass only OUTSIDE interface...
If I apply some access-group on the INSIDE interface OUT it will still block undesired traffic from VPN?
06-13-2011 05:06 PM
Yes, you are absolutely correct.
Or alternatively, you can also configure "vpn-filter" to only allow specific traffic from remote VPN Client access.
06-15-2011 10:56 PM
Hello Lewis,
Please mark it as answered, if your querry is resolved. Appreciate your time!
Please do rate the helpful discussion, as that helps us to serve you better!!
Regards,
Ankur Thukral
Community Manager- Security & VPN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: