I have an ASA5520. I have a host I need to block access to for users who come in on a VPN. When they come in they get an IP from the ASA on a unique subnet. Thought it would be easy and I could just block the traffic with an ACL statement on the INSIDE interface, but the traffic still got through. 0 hits on the ACL. I did a syslog and saw the traffic going through the OUTSIDE interface, so I decided to added an ACL statement there and the traffic still got through. Hmmmm Am I missing something? Does the ASA treat traffic on VPN different?
Solved! Go to Solution.
The command that may be causing you this grief is 'sysopt connection permit-vpn'. This command, based on the command reference below, allows all VPN traffic to bypass access-lists:
To confirm if this command is enabled on your device, run the command 'show run all sysopt'. To disable this command, requiring all VPN traffic to be checked against the access-lists, issue the command 'no sysopt connection permit-vpn'.
Give this a shot! If it helps, be sure to mark this thread as answered.
Thank you for replying to my post.
You were right. Out put is below. I assume if I remove the "sysopt connection permit-vpn" I will need to have ACL's configured to allow traffic to my VPN clients?
ASA5520(config)# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
Actually, you shouldn't need access-lists to get to your clients unless you have explicitly chosen to configure an access-list on the inside interface (on an ASA, high-to-low traffic is permitted by default) - this 'sysopt' command shouldn't effect traffic to the clients in either case. However, as the clients enter your network, they will be susceptible to the interface access-lists that you have defined, for instance, 'access-group inside_out out interface inside'.
If you read the command reference, it gives a pretty good summary as to the comand expectations. Also, as provided within this command reference, you may benefit from group policy and per-user authorization access lists as, even in the presence of 'sysopt connection permit-vpn', these still apply to the traffic
Hope this helps.
Just for your infomation , removing sysopt connection permit-vpn will also make your L2L vpn traffic screen against the outside interface access list. If you want to just stop access to the host for remote vpn client and have split tunnelling configured , you just deny access to the host from the split tunnel acl.
Thanks for your reply to my posts.
I fixed the problem. In my split tunnel statements I had allowed access to the specific host higher in the ACL. I removed it and the host was blocked.
Thanks for you help....