10-26-2014 07:43 PM
Hello,
I have an interesting question. Is it possible to have sysopt permit-vpn enabled and still be able to have an outbound ACL on an inside interface that would match and drop the traffic? I cannot use VPN filters as routes are learned dynamically and are split unevenly across multiple inside networks. Disabling syspot permit-vpn is not an option that I would like to entertain.
For example, I would like a certain ip pool to be able to access networks learned on inside-network-1 but denied on inside-network-2, inside-network-3, inside-network4. Another pool would be allowed to inside-network-2 and denied on inside-network1,3,4.
Can a VPN-Filter Deny an outbound interface?
Kyle
10-26-2014 08:25 PM
Hi Kelyrossd,
You would that with split tunnel, example of partial configuration:
ip local pool VPN-POOL-1 192.168.10.1-192.168.10.62
access-list FILTER-VPN-TRAFFIC extended permit ip host 192.168.0.1 192.168.10.0 255.255.255.192
group-policy EXAMPLE attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value FILTER-VPN-TRAFFIC
Regards,
Aref
10-27-2014 07:19 AM
Unfortunately, as previously stated the routes are learned dynamically (several thousand). I will also add that all traffic is tunneled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide