https://community.cisco.com/t5/network-security/ipsec-vpn-and-acl-issue/m-p/1193657#M859570 <HTML><HEAD></HEAD><BODY><P>Sysopt-connection permit ipsec is probably configured (by default, I think), which allows IPsec traffic to bypass the ACL. You could either remove that command, not necessarily recommended, or if you are doing nat 0 for the VPN traffic, just change the ACL for that to only bypass nat for the addresses you want to allow users to access.</P><P></P><P>Remember, if you remove "sysopt connection permit ipsec", you'll have to specifically allow access to any service you want VPN users to access.</P><P></P><P>Also, based on the ACL 101 you posted, users will not be able to access anything; you don't have any permit statements.</P><P></P><P>You should probably also edit your post and remove your public IP address.</P><P></P><P>HTH</P></BODY></HTML> Tue, 02 Jun 2009 10:54:29 GMT f00f1ter 2009-06-02T10:54:29Z https://community.cisco.com/t5/network-security/ipsec-vpn-and-acl-issue/m-p/1193656#M859564 <P>Hey, </P><P></P><P>I am using Cisco ASA 5510 as my organizations firewall which we have purchased days ago. I have created a IPSec Remote Access VPN with it. My Branch office is located in another city which i need to connect it through VPN. </P><P></P><P>I have configured my IPSec VPN on ASA with all policies which i need and at client end installed Cisco VPN Client SW. Now i can connect to my VPN Server (ASA) from my branch office. I am also getting an IP address from the POOL which i have allocated during setup of VPN. </P><P></P><P>Public IP configure on my ASA(outside) 203.75.180.2 </P><P>Inside IP 10.10.4.11</P><P>My Local network is running on 10.10.x.x 255.255.0.0 </P><P>VPN Client Pool is 10.10.21.1-10.10.21.15 255.255.255.240 </P><P></P><P></P><P>I want to apply ACL on my VPN Traffic which i need to be restricted in a sense that i dont want my VPN users to access any resource on my headoffice except 2 web application and 1 SW application. </P><P></P><P>Initially, i can ping from head office to branch office and vice versa after VPN is connected with no ACL's configured. </P><P></P><P>Now my question is that in what way i need to apply ACL between my outside and inside users as i tried to apply ACL but still all my resources are available to 10.10.21.0 users. </P><P></P><P>access-list 101 deny tcp 10.10.21.0 255.255.255.240 10.10.2.11 255.255.255.255 eq http </P><P>access-group 101 in interface outside. </P><P></P><P></P><P>this is the ACL which i have applied on my outside interface but still after that i can access 10.10.10.2.11 from my branch office. </P><P></P><P>can anyone help me out </P> Mon, 11 Mar 2019 15:38:30 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-and-acl-issue/m-p/1193656#M859564 srsiddiqui 2019-03-11T15:38:30Z https://community.cisco.com/t5/network-security/ipsec-vpn-and-acl-issue/m-p/1193657#M859570 <HTML><HEAD></HEAD><BODY><P>Sysopt-connection permit ipsec is probably configured (by default, I think), which allows IPsec traffic to bypass the ACL. You could either remove that command, not necessarily recommended, or if you are doing nat 0 for the VPN traffic, just change the ACL for that to only bypass nat for the addresses you want to allow users to access.</P><P></P><P>Remember, if you remove "sysopt connection permit ipsec", you'll have to specifically allow access to any service you want VPN users to access.</P><P></P><P>Also, based on the ACL 101 you posted, users will not be able to access anything; you don't have any permit statements.</P><P></P><P>You should probably also edit your post and remove your public IP address.</P><P></P><P>HTH</P></BODY></HTML> Tue, 02 Jun 2009 10:54:29 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-and-acl-issue/m-p/1193657#M859570 f00f1ter 2009-06-02T10:54:29Z