Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

SITE TO SITE VPN with access-list on the outside interface

Hi

I need to ask a simple question,

I have a site to site VPN, and it is working properly,

If i want to add an access-list on the outside interface of the firewall for the incoming traffic, does it affect the VPN Traffic? i have to permit anything related to the VPN in the access-list??

4 REPLIES
Community Member

Re: SITE TO SITE VPN with access-list on the outside interface

you can add the rule , not a problem

Community Member

Re: SITE TO SITE VPN with access-list on the outside interface

Add the rule without adding anything related to the VPN, yah?

Community Member

Re: SITE TO SITE VPN with access-list on the outside interface

hi Jorjes,

if you have given "sysopt connection permit-ipsec " in global configuration mode of the device to allow the VPN traffic to bypass interface access lists, none of the access-list at the interface will block your VPN traffic.

Please visit the following url for more info

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414

Thanks

Jithesh K Joy

Community Member

Re: SITE TO SITE VPN with access-list on the outside interface

Hi,

Jithesh is right. if you use the command "sysopt connection permit-ipsec " all interface acls will be bypassed by vpn traffic.

if you are using os 7.x and greater, there is a new command under the group policy for each VPN that can effectively filter traffic for each VPN. it is the "vpn-filter" command.

check out the link:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607

regards,

160
Views
0
Helpful
4
Replies
CreatePlease to create content