12-12-2021 09:09 PM - edited 12-12-2021 09:15 PM
when creating a site to site vpn on an asa 9.14, does creating normal access rules affect the site to site vpn traffic from my site to the remote site and vice versa? or only the effective access rules are the vpn filters under the group policy? and the normal access rules dont affect the site to site vpn?
12-12-2021 11:21 PM
Assuming it's a policy-based site-to-site VPN (i.e. using crypto maps and not VTIs) then the "normal" (interface) ACL doesn't apply - only the ACL specified in the crypto map match plus any VPN filter.
That default behavior can be overriden by "no sysopt permit-vpn".
12-13-2021 12:33 AM
you mean "no sysopt permit-vpn" will make the normal ACL have effect on the site to site vpn? and on a side note doesnt this command "sysopt permit-vpn" only permit any traffic incoming from the remote site to my site? and it doesnt permit or bypass traffic from my side to the remote side?
12-14-2021 01:00 AM
@baselzind when you define the command "no sysopt connection permit-vpn" this means all VPN traffic must be explictly permitted via the interface ACL. When the command "sysopt connection permit-vpn" is configured (which is default) then all VPN traffic bypasses the interface ACLs and would be permitted.
Group policy and per-user authorization access lists still apply to the traffic when "sysopt connection permit-vpn" is configured.
12-14-2021 03:36 AM - edited 12-14-2021 03:37 AM
so let us say my local network is 192.168.1.0/24 and the remote site network is 192.168.2.0/24 , if I use "sysopt connection permit-vpn" then traffic from 192.168.1.0/24 to 192.168.2.0/24 is allowed and traffic from 192.168.2.0/24 to 192.168.1.0/24 is also allowed? or only traffic from 92.168.2.0/24 to 192.168.1.0/24 is allowed?
12-14-2021 04:47 AM
The post-decryption traffic returning from (or originated from) the remote network will appear to originate from your inside interface. So as long as you don't have an outbound ACL applied to it (very uncommon), that traffic will be allowed whether or not the sysopt option is on.
12-14-2021 09:10 AM
sorry but your explanation confused me even more, if you can go along with me with my example, if my asa have two general acl and
local network is 192.168.1.0/24 and the remote site network is 192.168.2.0/24
source interface: inside and destination interface: outside , source network:any , destination network:any action:deny
and
source interface: outside and destination interface: inside source network:any , destination network:any action:deny
if I have "sysopt connection permit-vpn" enabled would traffic from 192.168.1.0/24 to 192.168.2.0/24 be allowed and traffic from 192.168.2.0/24 to 192.168.1.0/24 also be allowed?
01-12-2022 11:34 PM
please can any expert explain it because i cant I'm having a lot of trouble tshoot site to site vpn without understanding what acl controls it
01-13-2022 04:34 AM
With "sysopt connection premit-vpn", the VPN's IPsec security associations control waht traffic is allowed, not any ACL applied to the interfaces. So in your question from 12-15-2021, the answer is yes.
12-13-2021 05:13 AM
follow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide