Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

sysopt command

Hi ,

the command sysopt connection permit-ipsec ?

when I enable that command the vpn conenctions will be allowed inbound from the tunnel without checking the outside interface access list .

Suppose the vpn traffic is coming to dmz interface . DO I need to allow the traffic on the dmz interface ACl for the inbound traffic and outbound traffic or it works only with the crypto and nat 0 ACL

Raj

9 REPLIES
Community Member

Re: sysopt command

The command, "sysopt connection permit-ipsec" only by-passes the ACL on the ingress interface (Usually Outside).

Please see the definition and usage guidelines here...

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1541923

sysopt connection permit-ipsec

For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

Usage Guidelines

You might want to bypass interface access lists for decrypted traffic to simplify configuration and to maximize the security appliance performance. If you disable this feature, you must apply an access list to the ingress interface that permits decrypted IPSec packets from all IPSec peers (see the the access-list and access-group commands).

Community Member

Re: sysopt command

Hi,

For ingress traffic the vpn terminates on the outside interafce .

But the servers to be accessed are located in the dmz interface.

so we have to give access list on the dmz if I use the sysopt command as well

raj

Community Member

Re: sysopt command

That is correct.

Community Member

Re: sysopt command

Hi

I have one question here

For example my firewall have two interface inside and outside.

.If sysopt is enable :it bypasses the acl on outside interface.

.Do we require access-list to allow the traffic on inside interface (coming from inside host tends for vpn) besides crypto acl?

Thank you

Re: sysopt command

Hi,

The "sysopt connection permit vpn" command does take effect on any interface where a crypto map is applied or SSL VPN is enabled.

This command is to bypass the ACL but not the NAT rule, so you still need a NAT from DMZ to Outside to allow the traffic flow from a lower to a higher security level interface, if NAT-CONTROL is enabled.

To allow the return traffic for instance, from DMZ to Outside, you need to make sure that any ACL applied to the DMZ interface allows the traffic in question.

HTH.

Portu.

Please rate any helpful posts

Community Member

Re: sysopt command

Many thanks Jportugu,

So I can conclude that,

IF sysopt is enabled :

We always require acl on interface say from dmz to outside which must be subset of crypto acl.(whether traffic is return traffic or any host on dmz is initiating the traffic )

Re: sysopt command

Yes, you are correct.

The access-list is not always required, since remember that we are coming from a higher security level to a lower.

For instance:

interface f0/0

     nameif dmz

     security-level 50

     ip add 192.168.1.0 255.255.255.0

!

interface f0/1

     nameif outside

     security-level 0

     ip add 1.1.1.1 255.255.255.248

!

access-list crypto_map_10 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 1.1.1.2

Scenario 1:

If there is no ACL, then no need to add one to allow traffic from dmz to outside. However nat-control is enabled, so we need to add:

access-list nonat_dmz permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Scenario 2:

There is an access-list applied to the dmz interface as follows:

access-list dmz_in permit ip 192.168.1.0 255.255.255.0 host 74.125.134.104

access-group dmz_in in interface dmz

So, since there is an implicit "deny ip any any" we must add:

access-list dmz_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.0

And if nat-control is enabled or any other NAT rule may affect this traffic then:

access-list nonat_dmz permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Conclusions:

"sysopt connection permit vpn" bypasses outside ACL.

An ACL is not always required as long as you are coming from higher to lower (dmz to outside, for instance).

NAT exempt is required as long as nat-control is enabled or in case if there is any other NAT rule that may affect.

Hope to help.

Portu

Please rate any helpful posts

Re: sysopt command

Hi,

Please mark this question as answered if you do not have any further questions, do not forget to rate any helpful posts

Thanks.

Community Member

Re: sysopt command

Thanks

707
Views
20
Helpful
9
Replies
CreatePlease to create content