cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1920
Views
5
Helpful
8
Replies

Blocking traffic

HMidkiff
Level 1
Level 1

I have an ASA5520.  I have a host I need to block access to for users who come in on a VPN.  When they come in they get an IP from the ASA on a unique subnet.  Thought it would be easy and I could just block the traffic with an ACL statement on the INSIDE interface, but the traffic still got through.  0 hits on the ACL.  I did a syslog and saw the traffic going through the OUTSIDE interface, so I decided to added an ACL statement there and the traffic still got through.  Hmmmm   Am I missing something?  Does the ASA treat traffic on VPN different?

1 Accepted Solution

Accepted Solutions

Harrison,

If you can, please be sure to mark this thread as 'answered' for the benefits of others.

Thanks for using the Support Forums.

Best Regards,

Kevin

View solution in original post

8 Replies 8

Kevin Redmon
Cisco Employee
Cisco Employee

The command that may be causing you this grief is 'sysopt connection permit-vpn'.  This command, based on the command reference below, allows all VPN traffic to bypass access-lists:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

To confirm if this command is enabled on your device, run the command 'show run all sysopt'.  To disable this command, requiring all VPN traffic to be checked against the access-lists, issue the command 'no sysopt connection permit-vpn'.

Give this a shot!  If it helps, be sure to mark this thread as answered.

Best Regards,

Kevin

Kevin:

Thank you for replying to my post.

You were right.  Out put is below.  I assume if I remove the "sysopt connection permit-vpn" I will need to have ACL's configured to allow traffic to my VPN clients?

ASA5520(config)# sh run all sysopt

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn

Thanks again....

Harrison

Harrison,

Actually, you shouldn't need access-lists to get to your clients unless you have explicitly chosen to configure an access-list on the inside interface (on an ASA, high-to-low traffic is permitted by default) - this 'sysopt' command shouldn't effect traffic to the clients in either case. However, as the clients enter your network, they will be susceptible to the interface access-lists that you have defined, for instance, 'access-group inside_out out interface inside'.

If you read the command reference, it gives a pretty good summary as to the comand expectations.  Also, as provided within this command reference, you may benefit from group policy and per-user authorization access lists as, even in the presence of 'sysopt connection permit-vpn', these still apply to the traffic

Hope this helps.

Kevin

Hi Harrison,

Just for your infomation , removing sysopt connection permit-vpn will also make your L2L vpn traffic screen against the outside interface access list. If you want to just stop access to the host for remote vpn client  and have split tunnelling configured , you just deny  access to the host from the split tunnel acl.

Thanks

Manish

Kevin:

Thanks again for replying.

I tried denying the traffic there to and it still makes it through.   On the ACL I moved it to the top.

Harrison

Can you post your configuration  without public ip's and passwords.

Thanks

Manish

Manish:

Thanks for your reply to my posts.

I fixed the problem.  In my split tunnel statements I had allowed access to the specific host higher in the ACL.   I removed it and the host was blocked. 

Thanks for you help....

Harrison

Harrison,

If you can, please be sure to mark this thread as 'answered' for the benefits of others.

Thanks for using the Support Forums.

Best Regards,

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: