Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

Question on VPN ACL's and sysopt

Go to solution
monkeyboy
Level 1
Level 1

‎02-08-2011 07:39 AM - edited ‎03-11-2019 12:46 PM

Hi, I've not used  PIX/ASA for a while and was wondering the following:

We currently terminate site2site & RA vpn's directly on our perimeter ASA

What would be the better option - to use sysopt or not - ie:

If we use the external firewall acl to screen remote access vpn's we would have to allow rfc 1918 addresses into our network (albeit with a verified return path) but we can filter on port

vs

If we use sysopt we are creating a point-to-point IP connections directly into our network that don't filter on port (doesn't matter so much for RA but does for site2site)

?

personally I would terminate all vpn's in a dmz then screen after that =)

Cheers amigos

Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎02-08-2011 07:46 AM

Hey Mark-

I prefer sysopt and your DMZ ASA for VPN should have it's outside interface on the outside and your inside interface in the DMZ of your perimeter ASA. That is suggested per Cisco's SRND.

Hope my post makes sense, let me know if it doesn't.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎02-08-2011 07:46 AM

Hey Mark-

I prefer sysopt and your DMZ ASA for VPN should have it's outside interface on the outside and your inside interface in the DMZ of your perimeter ASA. That is suggested per Cisco's SRND.

Hope my post makes sense, let me know if it doesn't.

0 Helpful

Go to solution
monkeyboy
Level 1
Level 1
In response to Collin Clark

‎02-08-2011 08:01 AM

...yeah, that's what I would do too - it wasn't setup by me hehehe

cheers for getting back to me

Mark

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card