Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

same-security-traffic intra-interface and ACLs

I have an ASA 5520 running v7.2 with a RA VPN without split tunneling. I have enabled same-security-traffic intra-interface and appropriate NATing to get VPN clients to the web. This works. However, I noticed the VPN client web traffic isn't hitting my outside interface outbound ACLs. How do I get my outbound VPN client traffic to hit these ACLs? Thanks-

6 REPLIES
Green

Re: same-security-traffic intra-interface and ACLs

So you have something like this?

access-list outbound out interface outside

New Member

Re: same-security-traffic intra-interface and ACLs

almost:

access-group outbound out interface outside

with

access-list outbound extended deny tcp any host x.x.x.x www

inside can't www to x.x.x.x, but vpn clients can.

Green

Re: same-security-traffic intra-interface and ACLs

I would assume this is because of...

sysopt connection permit-vpn

This makes the traffic bypass the interface acl's. You could disable this with "no sysopt connection permit-vpn", but this would apply to all ipsec vpn traffic.

Another option is to use a vpn-filter assigned to the vpn tunnel group policy.

New Member

Re: same-security-traffic intra-interface and ACLs

Hmmm. There's no sysopt in the config. So I am correct that the expected behavior from my config sould be for the www vpn client traffic to hit oubound acls?

Any other ideas?

Thanks

Green

Re: same-security-traffic intra-interface and ACLs

Try..

show run sysopt

New Member

Re: same-security-traffic intra-interface and ACLs

Bingo. So a little digging shows 'sysopt connection permit-vpn' is enabled by default post 7.0. This would explain why I don't see it explicitly in the config. Thanks!

158
Views
0
Helpful
6
Replies