Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
0
Helpful
2
Replies

ASA 7.3 - logging sysopt connection permit-vpn

Go to solution
Mel Popple
Level 1
Level 1

‎08-30-2012 02:58 PM - edited ‎03-11-2019 04:48 PM

The client has an outside ASA in transparent mode which has the "sysopt connection permit-vpn" enabled, there are also ACL rules to only allow certain outside Internet located routers to create VPNs to the internal ASA.

How is it best to log connections from the external routers on the transparent ASA? At the moment it is set to log at level 4 but the probable questions are:

1)  Is "sysopt connection permit-vpn" relevant on an ASA in transparent mode that isn't terminating the VPNs?

2) If a transparent mode ASA has ACL rules for the usual VPN protocols included in the outside interface ACLs will they ever get matched.

3) Can we do away with the ACL entries or is the sysopt command redundant on a transparent ASA?

Thanks

Mel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-30-2012 05:00 PM

Hello Mel,

1- No, as that command is only for a VPN endpoint with ACL's. In this case is just a VPN pass-through device

2- Yes, they will get matched as usual as traffic from the lower security level to the higher will need to be allowed over an interface.

3- If you take out the ACL on the Outside ( Trasparent ASA) then the VPN attempts will not be allowed to the internal ASA.

The syspopt connection permit-vpn should be relevant only to the internal ASA

Remember to rate all the helpful posts, that is as good as a thanks.

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-30-2012 05:00 PM

Hello Mel,

1- No, as that command is only for a VPN endpoint with ACL's. In this case is just a VPN pass-through device

2- Yes, they will get matched as usual as traffic from the lower security level to the higher will need to be allowed over an interface.

3- If you take out the ACL on the Outside ( Trasparent ASA) then the VPN attempts will not be allowed to the internal ASA.

The syspopt connection permit-vpn should be relevant only to the internal ASA

Remember to rate all the helpful posts, that is as good as a thanks.

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Mel Popple
Level 1
Level 1
In response to Julio Carvajal

‎08-31-2012 03:42 AM

Thanks Julio, that has cleared up some points we weren't too clear about.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card