Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5402
Views
0
Helpful
3
Replies

Problem with "sysopt connection permit-vpn"

Go to solution
Karel Svarc
Level 1
Level 1

‎10-30-2013 02:41 PM

Hi all,

I would like to ask you for advice with "sysopt connection permit-vpn". I have a problem with bypass access-list (acl) in INSIDE interface. If I understand correctly and I will use this command, there is no need to especialy allow traffic in INSIDE access-list and I can control traffic by vpn-filter. But in my case is it just the opposite I have to  especially allow this traffi in INSIDE acl. When I allow this traffic in INSIDE acl than L2L tunnel goes UP, traffic flows trough vpn-fltr acl ane everything is OK. But when I do not allow this traffic is INSIDE the rule with deny statement in INSIDE acl block the traffice and tunnel never goes UP. Important part of  configuraciton you can check out below.

Please let me know if I'm wrong or what I do wrong?

Thanks

Karel

PHA-FW01# show ver | inc Ver

Cisco Adaptive Security Appliance Software Version 8.4(4)1

PHA-FW01# show ru all sys

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt radius ignore-secret

no sysopt noproxyarp INSIDE

no sysopt noproxyarp EXT-VLAN20

no sysopt noproxyarp EXT-WIFI-VLAN30

no sysopt noproxyarp OUTSIDE

PHA-FW01# show object-group id ALGOTECH

object-group network ALGOTECH

network-object 10.10.22.0 255.255.255.0

network-object host 172.16.15.11

PHA-FW01# show running-config object id VLAN20

object network VLAN20

subnet 10.1.2.0 255.255.255.0

access-list L2L_to_ALGOTECH extended permit ip object VLAN20 object-group ALGOTECH

access-list ACL-ALGOTECH extended permit ip object-group ALGOTECH object VLAN20

access-list EXT-VLAN20 remark ======================================================

access-list EXT-VLAN20 extended permit ip object VLAN20 object-group ALGOTECH #why must be here this rule?

access-list EXT-VLAN20 extended permit udp object VLAN20 object-group OUT-DNS-SERVERS eq domain

access-list EXT-VLAN20 extended permit ip object VLAN20 object VPN-USERS

access-list EXT-VLAN20 extended permit ip object VLAN20 object-group OPENVPN-SASPO

access-list EXT-VLAN20 extended permit ip object VLAN20 object VLAN10

access-list EXT-VLAN20 extended deny ip any object-group LOCAL-NETS log

access-list EXT-VLAN20 extended permit icmp any any echo

access-list EXT-VLAN20 extended permit object-group SERVICE-FROM-VLAN20 object VLAN20 any

access-list EXT-VLAN20 extended deny ip any any log

access-list ACL-ALGOTECH extended permit ip object-group ALGOTECH object VLAN20

group-policy GROUP_POLICY-91.X41.X.12 internal

group-policy GROUP_POLICY-91.X41.X.12 attributes

vpn-filter value ACL-ALGOTECH

vpn-tunnel-protocol ikev1

tunnel-group 91.X41.X.12 type ipsec-l2l

tunnel-group 91.X41.X.12 general-attributes

default-group-policy GROUP_POLICY-91.X41.X.12

tunnel-group 91.X41.X.12 ipsec-attributes

ikev1 pre-shared-key *****

PHA-FW01# show running-config nat

nat (EXT-VLAN20,OUTSIDE) source static VLAN20 VLAN20 destination static ALGOTECH ALGOTECH no-proxy-arp route-lookup

object network VLAN20

nat (EXT-VLAN20,OUTSIDE) dynamic interface

access-group INSIDE in interface INSIDE

access-group EXT-VLAN20 in interface EXT-VLAN20

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-30-2013 02:48 PM

Hi,

The command "sysopt connection permit-vpn" is the default setting and it only applies the interface ACL bypass to the interface that terminates the VPN. So that would be the interface connected to the external network. This wont have any effect on the interface ACLs of other interfaces.

So if you initiate or need to initiate connections from your LAN network to the remote networks through the L2L VPN connection then you will have to allow this traffic on your LAN networks interface ACL.

If the situation was so that only the remote end initiated connections to your network then "sysopt connection permit-vpn" would allow their connections to bypass the external interfaces ACL. Though if you have a VPN Filter ACL configured I think the traffic will still be matched against that ACL.

Here is the ASA Command Reference section about the "sysopt" command

http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Karel Svarc

‎10-30-2013 04:02 PM

Hi,

You dont need to allow return traffic on an Cisco firewall. If the connection has been allowed to form through the firewall then the return traffic will be allowed back automatically. As soon as the firewall sees a TCP SYN for example and its allowed then the firewall will build a connection for it.

The interface ACLs or VPN Filter ACL only control if the connection is allowed. If its allowed then the connection is built on the firewall (naturally if no other configuration fails the connection attempt, like NAT for example)

So for your LAN hosts to be able to initiate a connection to the remote network behind L2L VPN connection you will have to allow the traffic on their interface ACL.

For connection initiated from the remote network behind L2L VPN connection you will have to allow the traffic in the VPN Filter ACL you are using now.

One option would naturally be to use "no sysopt connection permit-vpn" and use the interface ACL of your firewalls external interface to control traffic coming from VPN connections. (Would not need VPN Filter ACL then) Naturally depending on your current VPN setups this might require some planning before changing the above setting so connection wont start to get blocked. (ACL rules would have to be configured before changing the setting)

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-30-2013 02:48 PM

Hi,

The command "sysopt connection permit-vpn" is the default setting and it only applies the interface ACL bypass to the interface that terminates the VPN. So that would be the interface connected to the external network. This wont have any effect on the interface ACLs of other interfaces.

So if you initiate or need to initiate connections from your LAN network to the remote networks through the L2L VPN connection then you will have to allow this traffic on your LAN networks interface ACL.

If the situation was so that only the remote end initiated connections to your network then "sysopt connection permit-vpn" would allow their connections to bypass the external interfaces ACL. Though if you have a VPN Filter ACL configured I think the traffic will still be matched against that ACL.

Here is the ASA Command Reference section about the "sysopt" command

http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918

- Jouni

0 Helpful

Go to solution
Karel Svarc
Level 1
Level 1
In response to Jouni Forss

‎10-30-2013 03:45 PM

Thank you for your reply and all of this sounds logicaly. But what will happen when the remote end initiate connection to our network.

1.) Sysopt bypass OUTSIDE interface acl. OK I agree.

2.) Returned traffic from LAN will have to pass trough INSIDE interface acl and probably will not pass becase there will not have record in  connection track table? OR the record in connection track table heve been made by vpn-filter?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Karel Svarc

‎10-30-2013 04:02 PM

Hi,

You dont need to allow return traffic on an Cisco firewall. If the connection has been allowed to form through the firewall then the return traffic will be allowed back automatically. As soon as the firewall sees a TCP SYN for example and its allowed then the firewall will build a connection for it.

The interface ACLs or VPN Filter ACL only control if the connection is allowed. If its allowed then the connection is built on the firewall (naturally if no other configuration fails the connection attempt, like NAT for example)

So for your LAN hosts to be able to initiate a connection to the remote network behind L2L VPN connection you will have to allow the traffic on their interface ACL.

For connection initiated from the remote network behind L2L VPN connection you will have to allow the traffic in the VPN Filter ACL you are using now.

One option would naturally be to use "no sysopt connection permit-vpn" and use the interface ACL of your firewalls external interface to control traffic coming from VPN connections. (Would not need VPN Filter ACL then) Naturally depending on your current VPN setups this might require some planning before changing the above setting so connection wont start to get blocked. (ACL rules would have to be configured before changing the setting)

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents