no sysopt connection permit-vpn or VPN filter

Ruterford · ‎11-08-2011

Hi All,

I have a question to pros:

In terms of security and easier configuration which option is more preferrable:

using

"no sysopt connection permit-vpn" and apply inbound ACLs on outside interface

or using VPN filters?

I feel more secure when there is no sysopt connection permit-vpn statement in my ASA, so I can apply inbound ACLs on outside interface.

I am not planning to switch over to VPN filters, and want to hear your opinion.

I have a bunch of L2L tunnels and don;t have any access VPN.

Thanks!

Ruterford · ‎11-09-2011

bump

acomiskey · ‎11-09-2011

Only tried vpn-filter once and it didn't work properly, but that was a while ago. I think I was hitting a bug CSCse67035 and the configuration documentation wasn't very good on the subject at that time. Been running no sysopt conn permit-vpn ever since. In my opinion, if you are always going to restrict all of your vpn's there is no reason for vpn filters. If you have vpn's you don't restrict and others you do, then vpn filters may make more sense from a management standpoint.

rfeero · ‎07-25-2022

@acomiskey did this bug some how get fixed? Or does this issue still occur?

Marvin Rhoads · ‎07-25-2022

@rfeero please note you are replying to a thread that was last updated almost 11 years ago.