Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1988
Views
0
Helpful
3
Replies

Sysopt connection permit not working with packet tracer

Go to solution
Alfredcfc
Level 1
Level 1

‎03-27-2020 11:49 AM

Hello All,

 

We have enabled sysopt permit vpn to bypass the external ACL for cisco anyconnect vpn but there is weird thing happened when the packet-tracer was always checking the external acl and never the vpn-filter in the group policy.

 

Why i think this is weird because i can see in the "sh conn" logs for vpn users having successfully connected to the internal resources.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Alfredcfc

‎03-28-2020 02:33 PM

What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called).  The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.

And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎03-28-2020 06:57 AM

Packet-tracer is used to test through the box traffic so the outside ACL will always be checked when using packet-tracer.  VPN is to the box and packet tracer cannot be used to test a VPN connection on the ingress interface, in this case the outside interface.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Alfredcfc
Level 1
Level 1
In response to Marius Gunnerud

‎03-28-2020 01:57 PM

so you are saying packet-tracer will always test the ACL on the interface only regardless of whether sys-opt is enabled or not for VPN connection simulations.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Alfredcfc

‎03-28-2020 02:33 PM

What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called).  The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.

And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card