Blocking traffic

Answered Question
Aug 27th, 2010

I have an ASA5520.  I have a host I need to block access to for users who come in on a VPN.  When they come in they get an IP from the ASA on a unique subnet.  Thought it would be easy and I could just block the traffic with an ACL statement on the INSIDE interface, but the traffic still got through.  0 hits on the ACL.  I did a syslog and saw the traffic going through the OUTSIDE interface, so I decided to added an ACL statement there and the traffic still got through.  Hmmmm   Am I missing something?  Does the ASA treat traffic on VPN different?

I have this problem too.
0 votes
Correct Answer by Kevin Redmon about 6 years 4 months ago

Harrison,

If you can, please be sure to mark this thread as 'answered' for the benefits of others.

Thanks for using the Support Forums.

Best Regards,

Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kevin Redmon Fri, 08/27/2010 - 11:57

The command that may be causing you this grief is 'sysopt connection permit-vpn'.  This command, based on the command reference below, allows all VPN traffic to bypass access-lists:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

To confirm if this command is enabled on your device, run the command 'show run all sysopt'.  To disable this command, requiring all VPN traffic to be checked against the access-lists, issue the command 'no sysopt connection permit-vpn'.

Give this a shot!  If it helps, be sure to mark this thread as answered.

Best Regards,

Kevin

HMidkiff Fri, 08/27/2010 - 13:20

Kevin:

Thank you for replying to my post.

You were right.  Out put is below.  I assume if I remove the "sysopt connection permit-vpn" I will need to have ACL's configured to allow traffic to my VPN clients?

ASA5520(config)# sh run all sysopt

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn

Thanks again....

Harrison

Kevin Redmon Fri, 08/27/2010 - 13:54

Harrison,

Actually, you shouldn't need access-lists to get to your clients unless you have explicitly chosen to configure an access-list on the inside interface (on an ASA, high-to-low traffic is permitted by default) - this 'sysopt' command shouldn't effect traffic to the clients in either case. However, as the clients enter your network, they will be susceptible to the interface access-lists that you have defined, for instance, 'access-group inside_out out interface inside'.

If you read the command reference, it gives a pretty good summary as to the comand expectations.  Also, as provided within this command reference, you may benefit from group policy and per-user authorization access lists as, even in the presence of 'sysopt connection permit-vpn', these still apply to the traffic

Hope this helps.

Kevin

manish arora Fri, 08/27/2010 - 13:55

Hi Harrison,

Just for your infomation , removing sysopt connection permit-vpn will also make your L2L vpn traffic screen against the outside interface access list. If you want to just stop access to the host for remote vpn client  and have split tunnelling configured , you just deny  access to the host from the split tunnel acl.

Thanks

Manish

HMidkiff Fri, 08/27/2010 - 14:43

Kevin:

Thanks again for replying.

I tried denying the traffic there to and it still makes it through.   On the ACL I moved it to the top.

Harrison

manish arora Fri, 08/27/2010 - 14:58

Can you post your configuration  without public ip's and passwords.

Thanks

Manish

HMidkiff Mon, 08/30/2010 - 08:14

Manish:

Thanks for your reply to my posts.

I fixed the problem.  In my split tunnel statements I had allowed access to the specific host higher in the ACL.   I removed it and the host was blocked. 

Thanks for you help....

Harrison

Correct Answer
Kevin Redmon Mon, 08/30/2010 - 08:20

Harrison,

If you can, please be sure to mark this thread as 'answered' for the benefits of others.

Thanks for using the Support Forums.

Best Regards,

Kevin

Actions

This Discussion