topic Re: IPSec VPN tunneled traffic does not require an ACL? in Network Security

IPSec VPN tunneled traffic does not require an ACL?

krzysztofmaciejewskiit — Fri, 21 Feb 2025 19:42:38 GMT

I tested today the establishment of a Route Based IPsec VPN between the ASA and the FTD.
Everything works fine however I was surprised that on the ASA I didn't have to add a single ACL.
I wonder if traffic destined to the tunnel is treated like traffic from a higher security "zone" to a lower security "zone"?

Re: IPSec VPN tunneled traffic does not require an ACL?

Rob Ingram — Fri, 21 Feb 2025 19:45:23 GMT

@krzysztofmaciejewskiit Access control lists can be applied on a VTI interface to control traffic through VTI. To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, the sysopt connection permit-vpn command is used.

Re: IPSec VPN tunneled traffic does not require an ACL?

krzysztofmaciejewskiit — Fri, 21 Feb 2025 19:48:30 GMT

Thanks for the information, I didn't know about that.
However, in my case there is no this command entered, and still all traffic destined to and from the tunnel passes correctly.

Re: IPSec VPN tunneled traffic does not require an ACL?

Rob Ingram — Fri, 21 Feb 2025 19:53:26 GMT

@krzysztofmaciejewskiit it's enabled as default, it would only appear in the configuration if it explictly disabled.

ASA(config)# no sysopt connection permit-vpn
ASA(config)# show run | i sysopt
no sysopt connection permit-vpn
ASA(config)#
ASA(config)# sysopt connection permit-vpn
ASA(config)# show run | i sysopt
ASA(config)#

So if you cannot see it in the configuration it is enabled.

Re: IPSec VPN tunneled traffic does not require an ACL?

krzysztofmaciejewskiit — Fri, 21 Feb 2025 20:10:47 GMT

A very interesting one. Thanks for the helpful reply!

Re: IPSec VPN tunneled traffic does not require an ACL?

MHM Cisco World — Fri, 21 Feb 2025 20:11:50 GMT

Sysop connection not work and not effect route based vpn in FTD (use zone)

You need ACP' or you already use prefilter pass all traffic in ftd

For ASA I think you need it.

MHM

Re: IPSec VPN tunneled traffic does not require an ACL?

MHM Cisco World — Fri, 21 Feb 2025 20:14:03 GMT

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html <<- the note I mentioned above list here.

MHM

Re: IPSec VPN tunneled traffic does not require an ACL?

krzysztofmaciejewskiit — Fri, 21 Feb 2025 20:17:37 GMT

Yes, on FTD I intentionally allowed this traffic using Access Control. However, on the ASA I did nothing completely, no ACLs or using the sysopt command.

Re: IPSec VPN tunneled traffic does not require an ACL?

MHM Cisco World — Fri, 21 Feb 2025 20:32:52 GMT

Check below

MHM

Re: IPSec VPN tunneled traffic does not require an ACL?

MHM Cisco World — Fri, 21 Feb 2025 20:21:41 GMT

I explain why in my second comments'

Use show interface ip breif check secuirty level.

MHM

Re: IPSec VPN tunneled traffic does not require an ACL?

Rob Ingram — Fri, 21 Feb 2025 20:38:37 GMT

@MHM Cisco World wrote:

For ASA if you not specify secuirty level then it by defualt set to 100 and I think it same as inside interface.

This with use same secuirty inter will make traffic pass from inside to vti.

Abd hence also sysop no have any effect here.

MHM

No actually By default, the security level for VTI interfaces is 0. You cannot configure the security level.

Re: IPSec VPN tunneled traffic does not require an ACL?

krzysztofmaciejewskiit — Fri, 21 Feb 2025 20:26:24 GMT

security levels are set manually, zone inside 90, outside 10.

Re: IPSec VPN tunneled traffic does not require an ACL?

MHM Cisco World — Fri, 21 Feb 2025 20:32:07 GMT

Yes as Mr Rob mention and check vti level is 0 by defualt.

Traffic initiate from asa inside to vti

So from inside 90 to 0 allow by defualt (no need sysop here)

And retrun traffic is allow since it have conn

For traffic initiate from FTD

The traffic from 0 to 90 is not allow unless you use sysop (by defualt enable)

The return traffic is allow since it have conn

Thanks to all

MHM

Re: IPSec VPN tunneled traffic does not require an ACL?

krzysztofmaciejewskiit — Fri, 21 Feb 2025 20:33:27 GMT

All clear and logical.