https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605485#M202633 <P>it turns out I cant remove a post added by accident (this)</P> Mon, 08 Dec 2014 11:42:21 GMT dtremolo1 2014-12-08T11:42:21Z https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605483#M202630 <TABLE style="border: 0px; margin: 0px; padding: 0px; font-size: 13px; vertical-align: baseline; color: rgb(68, 68, 68); font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 16.8999996185303px; background-color: rgb(253, 253, 253);"><TBODY style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><TR style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><TD class="votecell" style="border: 0px; margin: 0px; padding: 2px 10px 0px 0px; vertical-align: top; width: 50px;">&nbsp;</TD><TD class="postcell" style="border: 0px; margin: 0px; padding: 0px 0px 20px; vertical-align: top;"><DIV style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><DIV class="post-text" itemprop="text" style="margin: 0px 5px 5px 0px; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; width: 660px; word-wrap: break-word; line-height: 1.4em; color: rgb(17, 17, 17);"><P style="margin-bottom: 1em; line-height: 19.6000003814697px; padding: 0px; border: 0px; vertical-align: baseline; clear: both;">I found by accident that access which wasn't explicitly permitted in ACLs still was able to went through. This only seem to happen when the src originates from a site-to-site vpn and a ciient vpn.&nbsp;A permit rule does not increase the counter, a deny does but traffic is let through anyway.&nbsp;What could be the cause of this? &nbsp;<STRONG>I don't have sysopt permit-vpn.</STRONG></P> <P style="margin-bottom: 1em; line-height: 19.6000003814697px; padding: 0px; border: 0px; vertical-align: baseline; clear: both;"><BR /><SPAN style="line-height: 19.6000003814697px;">interface "ldap"</SPAN></P> <PRE style="padding: 5px; font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; font-size: 12px; word-wrap: normal; border-width: 0px 0px 0px 2px; border-left-style: dotted; border-left-color: rgb(204, 204, 204); vertical-align: baseline; overflow: auto; width: auto; max-height: 600px; background: rgb(238, 238, 238);"> <CODE style="font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; color: rgb(34, 34, 34); white-space: inherit; margin: 0px; vertical-align: baseline; background-image: none; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;">access-group ldap_access_in in interface ldap <STRONG>access-group ldap_access_out out interface ldap </STRONG></CODE></PRE> <P style="margin-bottom: 1em; line-height: 19.6000003814697px; padding: 0px; border: 0px; vertical-align: baseline; clear: both;">I had zero hits until I started to try ssh;</P> <PRE style="padding: 5px; font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; font-size: 12px; word-wrap: normal; border-width: 0px 0px 0px 2px; border-left-style: dotted; border-left-color: rgb(204, 204, 204); vertical-align: baseline; overflow: auto; width: auto; max-height: 600px; background: rgb(238, 238, 238);"> <CODE style="font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; color: rgb(34, 34, 34); white-space: inherit; margin: 0px; vertical-align: baseline; background-image: none; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;">access-list ldap_access_out line 1 extended deny tcp host 10.99.2.70 host 10.99.11.8 eq ssh (<STRONG>hitcnt=5)</STRONG> 0xa18d6298 </CODE></PRE> <P style="margin-bottom: 1em; line-height: 19.6000003814697px; padding: 0px; border: 0px; vertical-align: baseline; clear: both;">If I wait ten minutes without connecting, no hits. Checking on the remote host who is logged on I can see that the source address is what I expect it to be, and capture captures the traffic.</P> <P style="margin-bottom: 1em; line-height: 19.6000003814697px; padding: 0px; border: 0px; vertical-align: baseline; clear: both;">4 minutes after the previous tries, I will now connect three times and check the hit count:</P> <PRE style="padding: 5px; font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; font-size: 12px; word-wrap: normal; border-width: 0px 0px 0px 2px; border-left-style: dotted; border-left-color: rgb(204, 204, 204); vertical-align: baseline; overflow: auto; width: auto; max-height: 600px; background: rgb(238, 238, 238);"> <CODE style="font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; color: rgb(34, 34, 34); white-space: inherit; margin: 0px; vertical-align: baseline; background-image: none; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;">[user@ldap0 ~]$ ssh 10.99.11.8 Last login: Thu Nov 20 13:48:34 2014 from 10.99.2.70 [user@root0 ~]$ logout Connection to 10.99.11.8 closed. [user@ldap0 ~]$ ssh 10.99.11.8 Last login: Thu Nov 20 13:53:23 2014 from 10.99.2.70 [user@root0 ~]$ ^C [user@root0 ~]$ logout Connection to 10.99.11.8 closed. [user@ldap0 ~]$ ssh 10.99.11.8 Last login: Thu Nov 20 13:53:24 2014 from 10.99.2.70 [user@root0 ~]$ logout Connection to 10.99.11.8 closed. </CODE></PRE> <P style="margin-bottom: 1em; line-height: 19.6000003814697px; padding: 0px; border: 0px; vertical-align: baseline; clear: both;">And ...</P> <PRE style="padding: 5px; font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; font-size: 12px; word-wrap: normal; border-width: 0px 0px 0px 2px; border-left-style: dotted; border-left-color: rgb(204, 204, 204); vertical-align: baseline; overflow: auto; width: auto; max-height: 600px; background: rgb(238, 238, 238);"> <CODE style="font-family: 'Droid Sans Mono', Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; color: rgb(34, 34, 34); white-space: inherit; margin: 0px; vertical-align: baseline; background-image: none; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;">access-list ldap_access_out line 1 extended deny tcp host 10.99.2.70 host 10.99.11.8 eq ssh (hitcnt=8) 0xa18d6298 </CODE></PRE> <DIV>&nbsp;</DIV></DIV></DIV></TD></TR></TBODY></TABLE> Tue, 12 Mar 2019 05:11:44 GMT https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605483#M202630 dtremolo1 2019-03-12T05:11:44Z https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605484#M202632 <P>"sysopt connection permit-vpn" is <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#pgfId-1042737">enabled by default</A>. If you want to control the traffic that is sent through the tunnel you can:</P><OL><LI>Disable it with "no sysopt connection permit-vpn" and control it with the interface ACL.</LI><LI>Configure a vpn-filter that is applied to a the group-policy for the tunnel-group.</LI></OL> Mon, 08 Dec 2014 10:01:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605484#M202632 Karsten Iwen 2014-12-08T10:01:50Z https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605485#M202633 <P>it turns out I cant remove a post added by accident (this)</P> Mon, 08 Dec 2014 11:42:21 GMT https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605485#M202633 dtremolo1 2014-12-08T11:42:21Z https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605486#M202636 <P>Thanks Karsten!</P> Mon, 08 Dec 2014 11:42:42 GMT https://community.cisco.com/t5/network-security/cisco-asa-vpn-bypass-interface-out-acls/m-p/2605486#M202636 dtremolo1 2014-12-08T11:42:42Z