Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5520 v7.2 - How disable VPN traffic?

Hi to all,

I have an ASA5520 with v7.2. I have read in the command reference that, by default, the security appliance allows VPN traffic to terminate on a security appliance interface. And here is my question:

How can I disable that to filter the VPN traffic with my own access-list?

Regards, Fernando.

9 REPLIES
New Member

Re: ASA5520 v7.2 - How disable VPN traffic?

Hi Fernando,

To filter IPSec traffic using an interface access-list, you can use the following command:

no sysopt connection permit-vpn

check the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/s8_711.htm#wp1198155

I hope that this be of assistance to answer your question.

Kindest regards,

Shadi`

New Member

Re: ASA5520 v7.2 - How disable VPN traffic?

Hi Shadi,

Thanks for your answer but it is not correct. If you go to "Usage Guidelines" of "sysopt connection permit-vpn" you can read:

"You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. IMPORTANT!!! --> The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."

So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.

Regards, Fernando.

New Member

Re: ASA5520 v7.2 - How disable VPN traffic?

Hi Fernando,

This means that would like to filter VPN negotiations using an access-list?

If that is the situation you will not be able to do that as far as I know, you only can either receive all the negotiation requests or disable listening to IPSec negotiations on the specific interface.

K.Regards,

Shadi`

New Member

Re: ASA5520 v7.2 - How disable VPN traffic?

Hi Shadi,

Yes, it is and if you are in the right it is a bad news for me.

Anyway thanks for your interest.

Regards, Fernando.

Green

Re: ASA5520 v7.2 - How disable VPN traffic?

Fernando,

You are wrong here. Shadi was right originally. All that IMPORTANT is telling you is if you are going to write access in your interface acl's, you use the pool address, not the clients public ip. But you will also have to allow isakamp, esp, nat-t etc. in your outside acl from the public ip of the client.

So, to disable vpn connections you can do "no sysopt conn permit-vpn" and allow specific access in your acls.

New Member

Re: ASA5520 v7.2 - How disable VPN traffic?

Hi acomiskey,

Obviously before answer to Shadi I tried his suggestion and I confirm that it works how I said.

Even more I have disabled ?sysopt permit connection-vpn? (using "no sysopt conn permit-vpn") and then have used the next access-list in the outside interface

access-list outside_in deny ip any any

access-list outside_in deny esp any any

access-list outside_in deny ahp any any

And the device (the ASA) still allows a vpn client to connect.

If you have some time try it, confirm by yourself and get surprised.

Regards, Fernando.

Green

Re: ASA5520 v7.2 - How disable VPN traffic?

Fernando, I have tried this myself and have gotten much different results. I have to specifically allow iskmp, esp, nat-t etc. for me to connect a vpn tunnel. I guess we're both right.

And for the record, it appeared you were basing your suggestion upon the documentation quoted above.

Green

Re: ASA5520 v7.2 - How disable VPN traffic?

Just tried it again and it allowed me to connect. I know at one point in time I had to allow the ports on another ASA. A bug maybe? Anyway, sorry for the confusion.

New Member

Re: ASA5520 v7.2 - How disable VPN traffic?

Hi acomiskey,

Thanks for your interest.

I don't know if it is a bug in v7.2 or not, I thought so, but then I read the "Command Reference" I came to the conclusion that it was the normal use of "no sysopt conn permit-vpn" and by that I am looking for another way to do it.

Kind Regards, Fernando.

195
Views
0
Helpful
9
Replies
CreatePlease to create content