topic asa VPN question in Network Security

asa VPN question

Stuart Gall — Tue, 12 Mar 2019 00:20:46 GMT

Hello,
I have several working VPNs between ASAs 8.4 and 8.3
The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.
I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.

If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?

Sent from Cisco Technical Support iPad App

asa VPN question

Julio Carvajal — Thu, 08 Nov 2012 21:34:06 GMT

Hello Stuart,

You could use Reverse Path Check and take those ACL lines (RFC 1918 addresses.)

Now regarding ACL for vpn traffic, by default vpn traffic will not be inspected over the interface ACL's but you can restrict it with any of the interfaces ( remove the syspot permit vpn and that will start inspecting VPN traffic with ACL's)

Remember to rate all of the helpful posts

Julio