- Vpn# show run all i mtu mtu outside 1500 crypto ipsec security-association pmtu-aging infinite anyconnect mtu 1406 vpn# show run all i sysopt connection no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 sysopt connection permit-vpn sysopt connection reclassify-vpn no sysopt connection preserve.
- Hi, We have couple of VPN Tunnels and at present we are not able to restrict VPN tunnel traffic in ASA. We are planing to remove sysopt connection permit-vpn from ASA so VPN tunnel traffic we can restrict using inside and outside ACL's.
If 'no sysopt connection permit-vpn', you have to allow the traffic through your VPN in the interface ACLs of your ASA (just like traffic, that does not come through VPN), with 'sysopt connection permit-vpn' (which is recommended by cisco), VPN traffic bypasses all interface ACLs. It is possible, that an ACL is bound as 'vpn-filter' to your VPN.
When enabled the commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. In other works, the traffic will bypasss the access lists configured in the interfaces, so it will be no necessary to explicitly allow the traffic.
To verify if it is enable you have to perform the show run all sysopt command:
ASA# show running-config all sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt radius ignore-secret sysopt connection permit-vpn |
In case you want to filter the traffic encapsulated, you have to use the vpn-filter command in the group policy attributes and applied to the tunnel-group associated with the VPN you are configuring:
Sysopt Connection Permit-vpn Asdm
access-list 100 extended deny tcp any host 10.10.1.10 eq 80 access-list 100 extended permit ip any any group-policy CustomerA internal group-policy CustomerA attributes vpn-filter value 100 tunnel-group 172.16.1.1 general-attributes default-group-policy CustomerA |