Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
3
Replies

ASA rule to not bypas ACL's over VPN

whiteford
Level 1
Level 1

‎04-28-2009 07:46 AM

Hi,

I have a new ASA and have connected a VPN, it seems to not care about any ACL's I put on then I remember there is a command I can add so VPN's use ACL's, what is this?

Thanks

Labels:
0 Helpful
3 Replies 3

Todd Pula
Level 7
Level 7

‎04-28-2009 01:50 PM

Are you referring to not having to add VPN related protocols to an ingress ACL applied to the outside interface? If so, you are more than likely referring to the "sysopt connection permit-vpn".

0 Helpful

cmcbride
Level 1
Level 1

‎05-01-2009 07:32 AM

Right, that is the normal configuration. In 8.x and maybe 7.x there is a command 'vpn-filter' which can be set per group-policy and reference an ACL. That ACL will be imposed on inbound traffic and outbound traffic.

Alternately you have to disable the 'sysopt connection permit-ipsec' (or 'permit-vpn' for 8.x), and then create an ACL that you apply to your outside interface to allow IPSec traffic connections, but filter access to internal systems.

Using the vpn-filter command is MUCH easier though.

0 Helpful

whiteford
Level 1
Level 1
In response to cmcbride

‎05-01-2009 07:39 AM

Thanks, "sysopt connection permit-vpn" was the one I used.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents