10-30-2013 02:41 PM
Hi all,
I would like to ask you for advice with "sysopt connection permit-vpn". I have a problem with bypass access-list (acl) in INSIDE interface. If I understand correctly and I will use this command, there is no need to especialy allow traffic in INSIDE access-list and I can control traffic by vpn-filter. But in my case is it just the opposite I have to especially allow this traffi in INSIDE acl. When I allow this traffic in INSIDE acl than L2L tunnel goes UP, traffic flows trough vpn-fltr acl ane everything is OK. But when I do not allow this traffic is INSIDE the rule with deny statement in INSIDE acl block the traffice and tunnel never goes UP. Important part of configuraciton you can check out below.
Please let me know if I'm wrong or what I do wrong?
Thanks
Karel
PHA-FW01# show ver | inc Ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
PHA-FW01# show ru all sys
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp INSIDE
no sysopt noproxyarp EXT-VLAN20
no sysopt noproxyarp EXT-WIFI-VLAN30
no sysopt noproxyarp OUTSIDE
PHA-FW01# show object-group id ALGOTECH
object-group network ALGOTECH
network-object 10.10.22.0 255.255.255.0
network-object host 172.16.15.11
PHA-FW01# show running-config object id VLAN20
object network VLAN20
subnet 10.1.2.0 255.255.255.0
access-list L2L_to_ALGOTECH extended permit ip object VLAN20 object-group ALGOTECH
access-list ACL-ALGOTECH extended permit ip object-group ALGOTECH object VLAN20
access-list EXT-VLAN20 remark ======================================================
access-list EXT-VLAN20 extended permit ip object VLAN20 object-group ALGOTECH #why must be here this rule?
access-list EXT-VLAN20 extended permit udp object VLAN20 object-group OUT-DNS-SERVERS eq domain
access-list EXT-VLAN20 extended permit ip object VLAN20 object VPN-USERS
access-list EXT-VLAN20 extended permit ip object VLAN20 object-group OPENVPN-SASPO
access-list EXT-VLAN20 extended permit ip object VLAN20 object VLAN10
access-list EXT-VLAN20 extended deny ip any object-group LOCAL-NETS log
access-list EXT-VLAN20 extended permit icmp any any echo
access-list EXT-VLAN20 extended permit object-group SERVICE-FROM-VLAN20 object VLAN20 any
access-list EXT-VLAN20 extended deny ip any any log
access-list ACL-ALGOTECH extended permit ip object-group ALGOTECH object VLAN20
group-policy GROUP_POLICY-91.X41.X.12 internal
group-policy GROUP_POLICY-91.X41.X.12 attributes
vpn-filter value ACL-ALGOTECH
vpn-tunnel-protocol ikev1
tunnel-group 91.X41.X.12 type ipsec-l2l
tunnel-group 91.X41.X.12 general-attributes
default-group-policy GROUP_POLICY-91.X41.X.12
tunnel-group 91.X41.X.12 ipsec-attributes
ikev1 pre-shared-key *****
PHA-FW01# show running-config nat
nat (EXT-VLAN20,OUTSIDE) source static VLAN20 VLAN20 destination static ALGOTECH ALGOTECH no-proxy-arp route-lookup
object network VLAN20
nat (EXT-VLAN20,OUTSIDE) dynamic interface
access-group INSIDE in interface INSIDE
access-group EXT-VLAN20 in interface EXT-VLAN20
Solved! Go to Solution.
10-30-2013 02:48 PM
Hi,
The command "sysopt connection permit-vpn" is the default setting and it only applies the interface ACL bypass to the interface that terminates the VPN. So that would be the interface connected to the external network. This wont have any effect on the interface ACLs of other interfaces.
So if you initiate or need to initiate connections from your LAN network to the remote networks through the L2L VPN connection then you will have to allow this traffic on your LAN networks interface ACL.
If the situation was so that only the remote end initiated connections to your network then "sysopt connection permit-vpn" would allow their connections to bypass the external interfaces ACL. Though if you have a VPN Filter ACL configured I think the traffic will still be matched against that ACL.
Here is the ASA Command Reference section about the "sysopt" command
http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918
- Jouni
10-30-2013 04:02 PM
Hi,
You dont need to allow return traffic on an Cisco firewall. If the connection has been allowed to form through the firewall then the return traffic will be allowed back automatically. As soon as the firewall sees a TCP SYN for example and its allowed then the firewall will build a connection for it.
The interface ACLs or VPN Filter ACL only control if the connection is allowed. If its allowed then the connection is built on the firewall (naturally if no other configuration fails the connection attempt, like NAT for example)
So for your LAN hosts to be able to initiate a connection to the remote network behind L2L VPN connection you will have to allow the traffic on their interface ACL.
For connection initiated from the remote network behind L2L VPN connection you will have to allow the traffic in the VPN Filter ACL you are using now.
One option would naturally be to use "no sysopt connection permit-vpn" and use the interface ACL of your firewalls external interface to control traffic coming from VPN connections. (Would not need VPN Filter ACL then) Naturally depending on your current VPN setups this might require some planning before changing the above setting so connection wont start to get blocked. (ACL rules would have to be configured before changing the setting)
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
10-30-2013 02:48 PM
Hi,
The command "sysopt connection permit-vpn" is the default setting and it only applies the interface ACL bypass to the interface that terminates the VPN. So that would be the interface connected to the external network. This wont have any effect on the interface ACLs of other interfaces.
So if you initiate or need to initiate connections from your LAN network to the remote networks through the L2L VPN connection then you will have to allow this traffic on your LAN networks interface ACL.
If the situation was so that only the remote end initiated connections to your network then "sysopt connection permit-vpn" would allow their connections to bypass the external interfaces ACL. Though if you have a VPN Filter ACL configured I think the traffic will still be matched against that ACL.
Here is the ASA Command Reference section about the "sysopt" command
http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918
- Jouni
10-30-2013 03:45 PM
Thank you for your reply and all of this sounds logicaly. But what will happen when the remote end initiate connection to our network.
1.) Sysopt bypass OUTSIDE interface acl. OK I agree.
2.) Returned traffic from LAN will have to pass trough INSIDE interface acl and probably will not pass becase there will not have record in connection track table? OR the record in connection track table heve been made by vpn-filter?
10-30-2013 04:02 PM
Hi,
You dont need to allow return traffic on an Cisco firewall. If the connection has been allowed to form through the firewall then the return traffic will be allowed back automatically. As soon as the firewall sees a TCP SYN for example and its allowed then the firewall will build a connection for it.
The interface ACLs or VPN Filter ACL only control if the connection is allowed. If its allowed then the connection is built on the firewall (naturally if no other configuration fails the connection attempt, like NAT for example)
So for your LAN hosts to be able to initiate a connection to the remote network behind L2L VPN connection you will have to allow the traffic on their interface ACL.
For connection initiated from the remote network behind L2L VPN connection you will have to allow the traffic in the VPN Filter ACL you are using now.
One option would naturally be to use "no sysopt connection permit-vpn" and use the interface ACL of your firewalls external interface to control traffic coming from VPN connections. (Would not need VPN Filter ACL then) Naturally depending on your current VPN setups this might require some planning before changing the above setting so connection wont start to get blocked. (ACL rules would have to be configured before changing the setting)
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide