08-27-2010 11:47 AM - edited 03-11-2019 11:31 AM
I have an ASA5520. I have a host I need to block access to for users who come in on a VPN. When they come in they get an IP from the ASA on a unique subnet. Thought it would be easy and I could just block the traffic with an ACL statement on the INSIDE interface, but the traffic still got through. 0 hits on the ACL. I did a syslog and saw the traffic going through the OUTSIDE interface, so I decided to added an ACL statement there and the traffic still got through. Hmmmm Am I missing something? Does the ASA treat traffic on VPN different?
Solved! Go to Solution.
08-30-2010 08:20 AM
Harrison,
If you can, please be sure to mark this thread as 'answered' for the benefits of others.
Thanks for using the Support Forums.
Best Regards,
Kevin
08-27-2010 11:57 AM
The command that may be causing you this grief is 'sysopt connection permit-vpn'. This command, based on the command reference below, allows all VPN traffic to bypass access-lists:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217
To confirm if this command is enabled on your device, run the command 'show run all sysopt'. To disable this command, requiring all VPN traffic to be checked against the access-lists, issue the command 'no sysopt connection permit-vpn'.
Give this a shot! If it helps, be sure to mark this thread as answered.
Best Regards,
Kevin
08-27-2010 01:20 PM
Kevin:
Thank you for replying to my post.
You were right. Out put is below. I assume if I remove the "sysopt connection permit-vpn" I will need to have ACL's configured to allow traffic to my VPN clients?
ASA5520(config)# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
Thanks again....
Harrison
08-27-2010 01:54 PM
Harrison,
Actually, you shouldn't need access-lists to get to your clients unless you have explicitly chosen to configure an access-list on the inside interface (on an ASA, high-to-low traffic is permitted by default) - this 'sysopt' command shouldn't effect traffic to the clients in either case. However, as the clients enter your network, they will be susceptible to the interface access-lists that you have defined, for instance, 'access-group inside_out out interface inside'.
If you read the command reference, it gives a pretty good summary as to the comand expectations. Also, as provided within this command reference, you may benefit from group policy and per-user authorization access lists as, even in the presence of 'sysopt connection permit-vpn', these still apply to the traffic
Hope this helps.
Kevin
08-27-2010 01:55 PM
Hi Harrison,
Just for your infomation , removing sysopt connection permit-vpn will also make your L2L vpn traffic screen against the outside interface access list. If you want to just stop access to the host for remote vpn client and have split tunnelling configured , you just deny access to the host from the split tunnel acl.
Thanks
Manish
08-27-2010 02:43 PM
Kevin:
Thanks again for replying.
I tried denying the traffic there to and it still makes it through. On the ACL I moved it to the top.
Harrison
08-27-2010 02:58 PM
Can you post your configuration without public ip's and passwords.
Thanks
Manish
08-30-2010 08:14 AM
Manish:
Thanks for your reply to my posts.
I fixed the problem. In my split tunnel statements I had allowed access to the specific host higher in the ACL. I removed it and the host was blocked.
Thanks for you help....
Harrison
08-30-2010 08:20 AM
Harrison,
If you can, please be sure to mark this thread as 'answered' for the benefits of others.
Thanks for using the Support Forums.
Best Regards,
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide