Cisco Support Community
Community Member

Help me understand

I have three sites, each with ASA 5510. L2L vpn's work fine between each, and each is setup to allow remote vpn connections. I even had to setup split tunneling because the sales group complained about having to go through the internal proxy...

Anyway, when remote vpn users connected to one site, they couldn't access the networks on the other ASA's... I checked my tunnel-groups, my policies and especially my acl's. Nothing added up, I couldn't understand why remote vpn users connecting to one of the ASA's couldn't access any other networks.

Then I saw someone mention "sysopt connection permit-vpn" in this forum. I had never heard of that command so I looked it up and according to Cisco "This feature is enabled by default." even though the only way to see if it's enabled or disabled is to "sho run sysopt". When I ran that command on my three ASA's I saw that the one that wasn't cooperating had it set to "no sysopt connection permit-vpn", so I enabled it and now users connecting to that ASA can access the other networks.

Obviously this has helped, but is it wise to have this feature enabled? Is this the only way to get different vpn ip pools and/or subnets to talk?


Re: Help me understand

were there any ACL's configured on the inside interface of the ASA ? Normally the sysopt connection permit-ipsec (as previously called), allows traffic that enters ASA through a VPN tunnel , to bypass the interface access lists. Group policy and per-user authorization access-lists still apply to the traffic. There is no harm in enabling this command on ASA, since you know that the VPN communication is going to happen between two trusted sources in your WAN network. Having this command also saves some resource on the ASA, not having to look in the ACL table, everytime your local VPN traffic flows through.... Enable this, and I think u need not worry much on this again.

Hope this helps.. all the best. rate replies if found useful..


CreatePlease to create content