Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
6
Helpful
13
Replies

IPSec VPN tunneled traffic does not require an ACL?

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1

‎02-21-2025 11:42 AM

I tested today the establishment of a Route Based IPsec VPN between the ASA and the FTD.
Everything works fine however I was surprised that on the ASA I didn't have to add a single ACL.
I wonder if traffic destined to the tunnel is treated like traffic from a higher security "zone" to a lower security "zone"?

2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to krzysztofmaciejewskiit

‎02-21-2025 11:53 AM

@krzysztofmaciejewskiit it's enabled as default, it would only appear in the configuration if it explictly disabled.

ASA(config)# no sysopt connection permit-vpn
ASA(config)# show run | i sysopt
no sysopt connection permit-vpn
ASA(config)#
ASA(config)# sysopt connection permit-vpn
ASA(config)# show run | i sysopt
ASA(config)#

 So if you cannot see it in the configuration it is enabled.

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to krzysztofmaciejewskiit

‎02-21-2025 12:32 PM

Yes as Mr Rob mention and check vti level is 0 by defualt.

Traffic initiate from asa inside to vti

So from inside 90 to 0 allow by defualt (no need sysop here)

And retrun traffic is allow since it have conn 

For traffic initiate from FTD 

The traffic from 0 to 90 is not allow unless you use sysop (by defualt enable)

The return traffic is allow since it have conn

Thanks to all 

MHM

View solution in original post

13 Replies 13

Go to solution
Rob Ingram
VIP
VIP

‎02-21-2025 11:45 AM

@krzysztofmaciejewskiit Access control lists can be applied on a VTI interface to control traffic through VTI. To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, the sysopt connection permit-vpn command is used.

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1
In response to Rob Ingram

‎02-21-2025 11:48 AM

Thanks for the information, I didn't know about that.
However, in my case there is no this command entered, and still all traffic destined to and from the tunnel passes correctly.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to krzysztofmaciejewskiit

‎02-21-2025 11:53 AM

@krzysztofmaciejewskiit it's enabled as default, it would only appear in the configuration if it explictly disabled.

ASA(config)# no sysopt connection permit-vpn
ASA(config)# show run | i sysopt
no sysopt connection permit-vpn
ASA(config)#
ASA(config)# sysopt connection permit-vpn
ASA(config)# show run | i sysopt
ASA(config)#

 So if you cannot see it in the configuration it is enabled.

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1
In response to Rob Ingram

‎02-21-2025 12:10 PM

A very interesting one. Thanks for the helpful reply!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-21-2025 12:11 PM

Sysop connection not work and not effect route based vpn in FTD (use zone)

You need ACP' or you already use prefilter pass all traffic in ftd

For ASA I think you need it.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-21-2025 12:19 PM - edited ‎02-21-2025 12:32 PM

Check below 

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎02-21-2025 12:22 PM - edited ‎02-21-2025 12:38 PM

@MHM Cisco World wrote:

For ASA if you not specify secuirty level then it by defualt set to 100 and I think it same as inside interface.

This with use same secuirty inter will make traffic pass from inside to vti.

Abd hence also sysop no have any effect here.

MHM

No actually By default, the security level for VTI interfaces is 0. You cannot configure the security level.

0 Helpful

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1
In response to MHM Cisco World

‎02-21-2025 12:17 PM

Yes, on FTD I intentionally allowed this traffic using Access Control. However, on the ASA I did nothing completely, no ACLs or using the sysopt command.

Go to solution
MHM Cisco World
VIP
VIP
In response to krzysztofmaciejewskiit

‎02-21-2025 12:21 PM

I explain why in my second comments' 

Use show interface ip breif check secuirty level.

MHM

0 Helpful

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1

‎02-21-2025 12:26 PM

security levels are set manually, zone inside 90, outside 10.

Go to solution
MHM Cisco World
VIP
VIP
In response to krzysztofmaciejewskiit

‎02-21-2025 12:32 PM

Yes as Mr Rob mention and check vti level is 0 by defualt.

Traffic initiate from asa inside to vti

So from inside 90 to 0 allow by defualt (no need sysop here)

And retrun traffic is allow since it have conn 

For traffic initiate from FTD 

The traffic from 0 to 90 is not allow unless you use sysop (by defualt enable)

The return traffic is allow since it have conn

Thanks to all 

MHM

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1
In response to MHM Cisco World

‎02-21-2025 12:33 PM

All clear and logical.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card