Re: SITE TO SITE VPN with access-list on the outside interface

jorjes1984 · ‎01-11-2009

Hi

I need to ask a simple question,

I have a site to site VPN, and it is working properly,

If i want to add an access-list on the outside interface of the firewall for the incoming traffic, does it affect the VPN Traffic? i have to permit anything related to the VPN in the access-list??

rickyjohnt · ‎01-11-2009

you can add the rule , not a problem

jorjes1984 · ‎01-11-2009

Add the rule without adding anything related to the VPN, yah?

Jithesh K Joy · ‎01-11-2009

hi Jorjes,

if you have given "sysopt connection permit-ipsec " in global configuration mode of the device to allow the VPN traffic to bypass interface access lists, none of the access-list at the interface will block your VPN traffic.

Please visit the following url for more info

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414

Thanks

Jithesh K Joy

akin_lopez · ‎01-12-2009

Hi,

Jithesh is right. if you use the command "sysopt connection permit-ipsec " all interface acls will be bypassed by vpn traffic.

if you are using os 7.x and greater, there is a new command under the group policy for each VPN that can effectively filter traffic for each VPN. it is the "vpn-filter" command.

check out the link:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607

regards,