Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

no sysopt connection permit-vpn or VPN filter

Hi All,

I have a question to pros:

In terms of security and easier configuration which option is more preferrable:

using

"no sysopt connection permit-vpn" and apply inbound ACLs on outside interface

or using VPN filters?

I feel more secure when there is no sysopt connection permit-vpn statement in my ASA, so I can apply inbound ACLs on outside interface.

I am not planning to switch over to VPN filters, and  want to hear your opinion.

I have a bunch of L2L tunnels and don;t have any access VPN.

Thanks!

2 REPLIES
New Member

no sysopt connection permit-vpn or VPN filter

bump

Green

no sysopt connection permit-vpn or VPN filter

Only tried vpn-filter once and it didn't work properly, but that was a while ago. I think I was hitting a bug CSCse67035 and the configuration documentation wasn't very good on the subject at that time. Been running no sysopt conn permit-vpn ever since. In my opinion, if you are always going to restrict all of your vpn's there is no reason for vpn filters. If you have vpn's you don't restrict and others you do, then vpn filters may make more sense from a management standpoint.

470
Views
0
Helpful
2
Replies
CreatePlease to create content