Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 7.3 - logging sysopt connection permit-vpn

The client has an outside ASA in transparent mode which has the "sysopt connection permit-vpn" enabled, there are also ACL rules to only allow certain outside Internet located routers to create VPNs to the internal ASA.

How is it best to log connections from the external routers on the transparent ASA? At the moment it is set to log at level 4 but the probable questions are:

1)  Is "sysopt connection permit-vpn" relevant on an ASA in transparent mode that isn't terminating the VPNs?

2) If a transparent mode ASA has ACL rules for the usual VPN protocols included in the outside interface ACLs will they ever get matched.

3) Can we do away with the ACL entries or is the sysopt command redundant on a transparent ASA?

Thanks

Mel

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

ASA 7.3 - logging sysopt connection permit-vpn

Hello Mel,

1- No, as that command is only for a VPN endpoint with ACL's. In this case is just a VPN pass-through device

2- Yes, they will get matched as usual as traffic from the lower security level to the higher will need to be allowed over an interface.

3- If you take out the ACL on the Outside ( Trasparent ASA) then the VPN attempts will not be allowed to the internal ASA.

The syspopt connection permit-vpn should be relevant only to the internal ASA

Remember to rate all the helpful posts, that is as good as a thanks.

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
2 REPLIES

ASA 7.3 - logging sysopt connection permit-vpn

Hello Mel,

1- No, as that command is only for a VPN endpoint with ACL's. In this case is just a VPN pass-through device

2- Yes, they will get matched as usual as traffic from the lower security level to the higher will need to be allowed over an interface.

3- If you take out the ACL on the Outside ( Trasparent ASA) then the VPN attempts will not be allowed to the internal ASA.

The syspopt connection permit-vpn should be relevant only to the internal ASA

Remember to rate all the helpful posts, that is as good as a thanks.

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA 7.3 - logging sysopt connection permit-vpn

Thanks Julio, that has cleared up some points we weren't too clear about.

435
Views
0
Helpful
2
Replies
CreatePlease to create content