topic Re: Blocking traffic in Network Security

Blocking traffic

HMidkiff — Mon, 11 Mar 2019 18:31:43 GMT

I have an ASA5520. I have a host I need to block access to for users who come in on a VPN. When they come in they get an IP from the ASA on a unique subnet. Thought it would be easy and I could just block the traffic with an ACL statement on the INSIDE interface, but the traffic still got through. 0 hits on the ACL. I did a syslog and saw the traffic going through the OUTSIDE interface, so I decided to added an ACL statement there and the traffic still got through. Hmmmm Am I missing something? Does the ASA treat traffic on VPN different?

Re: Blocking traffic

Kevin Redmon — Fri, 27 Aug 2010 18:57:53 GMT

The command that may be causing you this grief is 'sysopt connection permit-vpn'. This command, based on the command reference below, allows all VPN traffic to bypass access-lists:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

To confirm if this command is enabled on your device, run the command 'show run all sysopt'. To disable this command, requiring all VPN traffic to be checked against the access-lists, issue the command 'no sysopt connection permit-vpn'.

Give this a shot! If it helps, be sure to mark this thread as answered.

Best Regards,

Kevin

Re: Blocking traffic

HMidkiff — Fri, 27 Aug 2010 20:20:51 GMT

Kevin:

Thank you for replying to my post.

You were right. Out put is below. I assume if I remove the "sysopt connection permit-vpn" I will need to have ACL's configured to allow traffic to my VPN clients?

ASA5520(config)# sh run all sysopt

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn

Thanks again....

Harrison

Re: Blocking traffic

Kevin Redmon — Fri, 27 Aug 2010 20:54:41 GMT

Harrison,

Actually, you shouldn't need access-lists to get to your clients unless you have explicitly chosen to configure an access-list on the inside interface (on an ASA, high-to-low traffic is permitted by default) - this 'sysopt' command shouldn't effect traffic to the clients in either case. However, as the clients enter your network, they will be susceptible to the interface access-lists that you have defined, for instance, 'access-group inside_out out interface inside'.

If you read the command reference, it gives a pretty good summary as to the comand expectations. Also, as provided within this command reference, you may benefit from group policy and per-user authorization access lists as, even in the presence of 'sysopt connection permit-vpn', these still apply to the traffic

Hope this helps.

Kevin

Re: Blocking traffic

manish arora — Fri, 27 Aug 2010 20:55:00 GMT

Hi Harrison,

Just for your infomation , removing sysopt connection permit-vpn will also make your L2L vpn traffic screen against the outside interface access list. If you want to just stop access to the host for remote vpn client and have split tunnelling configured , you just deny access to the host from the split tunnel acl.

Thanks

Manish

Re: Blocking traffic

HMidkiff — Fri, 27 Aug 2010 21:43:23 GMT

Kevin:

Thanks again for replying.

I tried denying the traffic there to and it still makes it through. On the ACL I moved it to the top.

Harrison

Re: Blocking traffic

manish arora — Fri, 27 Aug 2010 21:58:20 GMT

Can you post your configuration without public ip's and passwords.

Thanks

Manish

Re: Blocking traffic

HMidkiff — Mon, 30 Aug 2010 15:14:56 GMT

Manish:

Thanks for your reply to my posts.

I fixed the problem. In my split tunnel statements I had allowed access to the specific host higher in the ACL. I removed it and the host was blocked.

Thanks for you help....

Harrison

Re: Blocking traffic

Kevin Redmon — Mon, 30 Aug 2010 15:20:03 GMT

Harrison,

If you can, please be sure to mark this thread as 'answered' for the benefits of others.

Thanks for using the Support Forums.

Best Regards,

Kevin