Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
1
Replies

asa VPN question

Stuart Gall
Level 1
Level 1

‎11-08-2012 08:00 AM - edited ‎03-11-2019 05:20 PM

Hello,
I have several working VPNs between ASAs 8.4 and 8.3
The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.
I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.

If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-08-2012 01:34 PM

Hello Stuart,

You could use Reverse Path Check and take those ACL lines (RFC 1918 addresses.)

Now regarding ACL for vpn traffic, by default vpn traffic will not be inspected over the interface ACL's but you can restrict it with any of the interfaces ( remove the syspot permit vpn and that will start inspecting VPN traffic with ACL's)

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card