Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
2
Replies

Outbound ACL with sysopt Permit-VPN Enabled

kylerossd
Level 4
Level 4

‎10-26-2014 07:43 PM

Hello,

I have an interesting question.  Is it possible to have sysopt permit-vpn enabled and still be able to have an outbound ACL on an inside interface that would match and drop the traffic?  I cannot use VPN filters as routes are learned dynamically and are split unevenly across multiple inside networks.  Disabling syspot permit-vpn is not an option that I would like to entertain.

For example, I would like a certain ip pool to be able to access networks learned on inside-network-1 but denied on inside-network-2, inside-network-3, inside-network4.  Another pool would be allowed to inside-network-2 and denied on inside-network1,3,4.

 

Can a VPN-Filter Deny an outbound interface?

 

Kyle

Labels:
0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎10-26-2014 08:25 PM

Hi Kelyrossd,

 

You would that with split tunnel, example of partial configuration:

 

ip local pool VPN-POOL-1 192.168.10.1-192.168.10.62

access-list FILTER-VPN-TRAFFIC extended permit ip host 192.168.0.1 192.168.10.0 255.255.255.192

group-policy EXAMPLE attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value FILTER-VPN-TRAFFIC

 

Regards,

Aref

0 Helpful

kylerossd
Level 4
Level 4
In response to Aref Alsouqi

‎10-27-2014 07:19 AM

Unfortunately, as previously stated the routes are learned dynamically (several thousand).  I will also add that all traffic is tunneled.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents