Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
5
Helpful
5
Replies

Cisco ASA - Correct application of ACLs to outside interface when using "no sysopt connection permit-vpn"

Michael Greaves
Level 1
Level 1

‎12-10-2019 04:21 AM

My question is how we allow VPN traffic via the outside interface but block internet traffic that happens to have the same source address as the remote VPN network ?

 

If you disable the bypassing of interface access lists on an ASA using the "no sysopt connection permit-vpn" command how should the ACLs be applied on the outside interface to only allow VPN traffic and not traffic from the internet. Example:-

 

Local Network Company A:  12.10.1.0/24

Remote Network Company B:  13.10.1.0/24

 

We apply an ACL on the outside interface allowing network 13.10.1.0/24 to access 12.10.1.0/24 over the VPN. But what would stop a network 13.10.1.0/24 on the internet also accessing 12.10.1.0/24. Assume that Company B is using 13.10.1.0/24 as its internal address range but a genuine external network also exists with the same IP network. How do we differentiate between the VPN network and the external internet based network ?

 

Thanks

Labels:
0 Helpful
5 Replies 5

gerald.scott
Level 1
Level 1

‎12-10-2019 10:30 AM

What I have seen in production environments is leaving the SYSOPT in place and restricting traffic using VPN Filter lists.

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Michael Greaves
Level 1
Level 1
In response to gerald.scott

‎12-12-2019 02:57 AM

Sure yes, I'm also aware of that method but what if we don't want to use this option, so we have complete control of the VPN access. How will this affect the incoming internet traffic ?

 

Anybody considered this ?

 

Thanks

0 Helpful

Michael Greaves
Level 1
Level 1
In response to Michael Greaves

‎12-17-2019 03:09 AM

Anybody any thoughts are this please ? Any feedback greatly appreciated.

0 Helpful

gerald.scott
Level 1
Level 1
In response to Michael Greaves

‎12-17-2019 05:26 PM

Based on your scenario, there are two organizations using non RFC 1918 address space, that they don't own, as their internal address space.  In my experience, this is extremely unlikely to happen, and as such I don't have an answer to your question.  Good luck in your search.

0 Helpful

Michael Greaves
Level 1
Level 1
In response to gerald.scott

‎12-18-2019 03:17 AM

Thanks for your input Gerald.  Really keen to hear other people's views as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card