Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

allow outgoing and deny incoming?

Hi

i have query in regards to stateful firewalls.

on a site to site VPN can we allow outgoing and deny all incoming traffic from peer ip.

which looks

siteA outgoing is allowed to siteB

siteAincoming is denied from siteB

can any opne please explain howz this possible on stateful firewall.

how deeply it inspects the packet,

thanks

srikanth

1 ACCEPTED SOLUTION

Accepted Solutions

allow outgoing and deny incoming?

Hello Srikanth,

You will need to disable the  sysopt connection permit-vpn with the command:

-no sysopt connection permit-vpn

This will cause the ASA to inspect all traffic comming from the lower security level  with the ACL ( even the VPN traffic witch was not inspected due to the sysop that says: VPN traffic = bypasses the ACL )

Then on the ACL just add a deny line from that network to your network.

Regards,

Julio

Do rate helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1 REPLY

allow outgoing and deny incoming?

Hello Srikanth,

You will need to disable the  sysopt connection permit-vpn with the command:

-no sysopt connection permit-vpn

This will cause the ASA to inspect all traffic comming from the lower security level  with the ACL ( even the VPN traffic witch was not inspected due to the sysop that says: VPN traffic = bypasses the ACL )

Then on the ACL just add a deny line from that network to your network.

Regards,

Julio

Do rate helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
222
Views
0
Helpful
1
Replies