https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174678#M877818 <HTML><HEAD></HEAD><BODY><P>you can add the rule , not a problem</P></BODY></HTML> Sun, 11 Jan 2009 10:39:54 GMT rickyjohnt 2009-01-11T10:39:54Z https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174677#M877817 <P>Hi </P><P>I need to ask a simple question, </P><P>I have a site to site VPN, and it is working properly, </P><P>If i want to add an access-list on the outside interface of the firewall for the incoming traffic, does it affect the VPN Traffic? i have to permit anything related to the VPN in the access-list??</P><P></P> Mon, 11 Mar 2019 14:35:25 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174677#M877817 jorjes1984 2019-03-11T14:35:25Z https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174678#M877818 <HTML><HEAD></HEAD><BODY><P>you can add the rule , not a problem</P></BODY></HTML> Sun, 11 Jan 2009 10:39:54 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174678#M877818 rickyjohnt 2009-01-11T10:39:54Z https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174679#M877819 <HTML><HEAD></HEAD><BODY><P>Add the rule without adding anything related to the VPN, yah?</P></BODY></HTML> Sun, 11 Jan 2009 10:56:23 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174679#M877819 jorjes1984 2009-01-11T10:56:23Z https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174680#M877820 <HTML><HEAD></HEAD><BODY><P>hi Jorjes,</P><P></P><P> if you have given "sysopt connection permit-ipsec " in global configuration mode of the device to allow the VPN traffic to bypass interface access lists, none of the access-list at the interface will block your VPN traffic.</P><P>Please visit the following url for more info</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414</A></P><P></P><P>Thanks</P><P>Jithesh K Joy</P></BODY></HTML> Mon, 12 Jan 2009 07:10:34 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174680#M877820 Jithesh K Joy 2009-01-12T07:10:34Z https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174681#M877821 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Jithesh is right. if you use the command "sysopt connection permit-ipsec " all interface acls will be bypassed by vpn traffic. </P><P>if you are using os 7.x and greater, there is a new command under the group policy for each VPN that can effectively filter traffic for each VPN. it is the "vpn-filter" command.</P><P>check out the link:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607</A></P><P></P><P>regards,</P></BODY></HTML> Mon, 12 Jan 2009 11:07:51 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-with-access-list-on-the-outside-interface/m-p/1174681#M877821 akin_lopez 2009-01-12T11:07:51Z