I am facing an issue on VPN tunnel. I am running several L2L vpn tunnel in my ASA and configured "sysopt connection permit-vpn". Currently i am setting up a new l2l tunnel and i want to restrict some ports from remote end to my end servers but i am unable to do that due to i believe "sysopt connection permit-vpn". I cannot remove this config as it will impact others tunnel.
Pls help me how could i allow only specfic ports into l2l tunnel from outside.
One option you could considering is changing the setting you mention "sysopt connection permit-vpn"
What you could do is
Configure in your "outside" interface ACL that all traffic from the remote networks of the existing L2L VPN connections are allowed
After this change the sysopt setting to "no sysopt connection permit-vpn"
So you would basically first make sure that the traffic will be allowed from the existing connections and then change the global setting and the connections for the existing L2L VPNs would still be allowed like usual.
After this you could configure the ACL rules you want for this new connection.
I personally find the "no sysopt connection permit-vpn" solution a lot simpler and convinient when limiting VPN traffic than configuring separate VPN Filter ACLs. Especially in the cases of L2L VPN
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...