cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
0
Helpful
1
Replies

what are config for allow VPN in ASA

martlee2
Cisco Employee
Cisco Employee

i find that there are at least two type of allowing VPN in ASA

one is to use one command to bypass access list

another is to set access list

what are they? and any more? what are their difference?

which of them is the most secure in real practice?

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

I presume you mean allowing traffic/connections that are coming through a VPN connection?

 

Well the default setting on an ASA is "sysopt connection permit-vpn" which basically means that the ASA will allow all connection incoming through a VPN connection as it presumes that since these connections are coming through a secure connection that they should be allowed.

 

This default setting is ok for situations where the users are only/mainly from the same company. If you keep this default setting then if you want to control traffic then you will have to configure a VPN Filter ACL that will be attached to the VPN connections "group-policy". If you are using a VPN Filter ACL in a L2L VPN connection then you should refer to the documentation for their configuration format. They dont exactly follow the logic of interface ACLs for example.

 

I usually prefer the setting "no sysopt connection permit-vpn" which disables default setting. This means that if you have a VPN connection and want to allow traffic to internal networks then you need to use the interface ACL of the interface which has the VPN to allow the traffic. This interface is usually called "outside".

 

I am not sure which of them is secure. I do remember that the VPN Filters has sometimes had problems updating to the VPN connection that is active. In that sense disabling the default setting (which allows all connections from VPN connections) would make for a better solution and also more clearer as you would control all VPN traffic in a single ACL instead of multiple VPN Filter ACLs.

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer and/or rate helpfull answers. Freel free to ask more if needed.

 

- Jouni

 

 

View solution in original post

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

I presume you mean allowing traffic/connections that are coming through a VPN connection?

 

Well the default setting on an ASA is "sysopt connection permit-vpn" which basically means that the ASA will allow all connection incoming through a VPN connection as it presumes that since these connections are coming through a secure connection that they should be allowed.

 

This default setting is ok for situations where the users are only/mainly from the same company. If you keep this default setting then if you want to control traffic then you will have to configure a VPN Filter ACL that will be attached to the VPN connections "group-policy". If you are using a VPN Filter ACL in a L2L VPN connection then you should refer to the documentation for their configuration format. They dont exactly follow the logic of interface ACLs for example.

 

I usually prefer the setting "no sysopt connection permit-vpn" which disables default setting. This means that if you have a VPN connection and want to allow traffic to internal networks then you need to use the interface ACL of the interface which has the VPN to allow the traffic. This interface is usually called "outside".

 

I am not sure which of them is secure. I do remember that the VPN Filters has sometimes had problems updating to the VPN connection that is active. In that sense disabling the default setting (which allows all connections from VPN connections) would make for a better solution and also more clearer as you would control all VPN traffic in a single ACL instead of multiple VPN Filter ACLs.

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer and/or rate helpfull answers. Freel free to ask more if needed.

 

- Jouni

 

 

Review Cisco Networking for a $25 gift card