08-30-2012 02:58 PM - edited 03-11-2019 04:48 PM
The client has an outside ASA in transparent mode which has the "sysopt connection permit-vpn" enabled, there are also ACL rules to only allow certain outside Internet located routers to create VPNs to the internal ASA.
How is it best to log connections from the external routers on the transparent ASA? At the moment it is set to log at level 4 but the probable questions are:
1) Is "sysopt connection permit-vpn" relevant on an ASA in transparent mode that isn't terminating the VPNs?
2) If a transparent mode ASA has ACL rules for the usual VPN protocols included in the outside interface ACLs will they ever get matched.
3) Can we do away with the ACL entries or is the sysopt command redundant on a transparent ASA?
Thanks
Mel
Solved! Go to Solution.
08-30-2012 05:00 PM
Hello Mel,
1- No, as that command is only for a VPN endpoint with ACL's. In this case is just a VPN pass-through device
2- Yes, they will get matched as usual as traffic from the lower security level to the higher will need to be allowed over an interface.
3- If you take out the ACL on the Outside ( Trasparent ASA) then the VPN attempts will not be allowed to the internal ASA.
The syspopt connection permit-vpn should be relevant only to the internal ASA
Remember to rate all the helpful posts, that is as good as a thanks.
Julio
CCSP
08-30-2012 05:00 PM
Hello Mel,
1- No, as that command is only for a VPN endpoint with ACL's. In this case is just a VPN pass-through device
2- Yes, they will get matched as usual as traffic from the lower security level to the higher will need to be allowed over an interface.
3- If you take out the ACL on the Outside ( Trasparent ASA) then the VPN attempts will not be allowed to the internal ASA.
The syspopt connection permit-vpn should be relevant only to the internal ASA
Remember to rate all the helpful posts, that is as good as a thanks.
Julio
CCSP
08-31-2012 03:42 AM
Thanks Julio, that has cleared up some points we weren't too clear about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide