01-11-2009 02:10 AM - edited 03-11-2019 07:35 AM
Hi
I need to ask a simple question,
I have a site to site VPN, and it is working properly,
If i want to add an access-list on the outside interface of the firewall for the incoming traffic, does it affect the VPN Traffic? i have to permit anything related to the VPN in the access-list??
01-11-2009 02:39 AM
you can add the rule , not a problem
01-11-2009 02:56 AM
Add the rule without adding anything related to the VPN, yah?
01-11-2009 11:10 PM
hi Jorjes,
if you have given "sysopt connection permit-ipsec " in global configuration mode of the device to allow the VPN traffic to bypass interface access lists, none of the access-list at the interface will block your VPN traffic.
Please visit the following url for more info
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414
Thanks
Jithesh K Joy
01-12-2009 03:07 AM
Hi,
Jithesh is right. if you use the command "sysopt connection permit-ipsec " all interface acls will be bypassed by vpn traffic.
if you are using os 7.x and greater, there is a new command under the group policy for each VPN that can effectively filter traffic for each VPN. it is the "vpn-filter" command.
check out the link:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1411607
regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide