Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5893
Views
0
Helpful
3
Replies

Cisco ASA vpn bypass interface out acls?

Go to solution
dtremolo1
Level 1
Level 1

‎12-08-2014 01:32 AM - edited ‎03-11-2019 10:11 PM

 

I found by accident that access which wasn't explicitly permitted in ACLs still was able to went through. This only seem to happen when the src originates from a site-to-site vpn and a ciient vpn. A permit rule does not increase the counter, a deny does but traffic is let through anyway. What could be the cause of this?  I don't have sysopt permit-vpn.


interface "ldap"

access-group ldap_access_in in interface ldap
access-group ldap_access_out out interface ldap

I had zero hits until I started to try ssh;

access-list ldap_access_out line 1 extended deny tcp host 10.99.2.70 host 10.99.11.8 eq ssh (hitcnt=5) 0xa18d6298

If I wait ten minutes without connecting, no hits. Checking on the remote host who is logged on I can see that the source address is what I expect it to be, and capture captures the traffic.

4 minutes after the previous tries, I will now connect three times and check the hit count:

[user@ldap0 ~]$ ssh 10.99.11.8
Last login: Thu Nov 20 13:48:34 2014 from 10.99.2.70
[user@root0 ~]$ logout
Connection to 10.99.11.8 closed.

[user@ldap0 ~]$ ssh 10.99.11.8
Last login: Thu Nov 20 13:53:23 2014 from 10.99.2.70
[user@root0 ~]$ ^C
[user@root0 ~]$ logout
Connection to 10.99.11.8 closed.

[user@ldap0 ~]$ ssh 10.99.11.8
Last login: Thu Nov 20 13:53:24 2014 from 10.99.2.70
[user@root0 ~]$ logout
Connection to 10.99.11.8 closed.

And ...

access-list ldap_access_out line 1 extended deny tcp host 10.99.2.70 host 10.99.11.8 eq ssh (hitcnt=8) 0xa18d6298
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-08-2014 02:01 AM

"sysopt connection permit-vpn" is enabled by default. If you want to control the traffic that is sent through the tunnel you can:

  1. Disable it with "no sysopt connection permit-vpn" and control it with the interface ACL.
  2. Configure a vpn-filter that is applied to a the group-policy for the tunnel-group.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎12-08-2014 02:01 AM

"sysopt connection permit-vpn" is enabled by default. If you want to control the traffic that is sent through the tunnel you can:

  1. Disable it with "no sysopt connection permit-vpn" and control it with the interface ACL.
  2. Configure a vpn-filter that is applied to a the group-policy for the tunnel-group.
0 Helpful

Go to solution
dtremolo1
Level 1
Level 1
In response to Karsten Iwen

‎12-08-2014 03:42 AM

Thanks Karsten!

0 Helpful

Go to solution
dtremolo1
Level 1
Level 1

‎12-08-2014 03:42 AM

it turns out I cant remove a post added by accident (this)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card