asa site to site vpn access rules?

baselzind · ‎12-12-2021

when creating a site to site vpn on an asa 9.14, does creating normal access rules affect the site to site vpn traffic from my site to the remote site and vice versa? or only the effective access rules are the vpn filters under the group policy? and the normal access rules dont affect the site to site vpn?

Marvin Rhoads · ‎12-12-2021

Assuming it's a policy-based site-to-site VPN (i.e. using crypto maps and not VTIs) then the "normal" (interface) ACL doesn't apply - only the ACL specified in the crypto map match plus any VPN filter.

That default behavior can be overriden by "no sysopt permit-vpn".

baselzind · ‎12-13-2021

you mean "no sysopt permit-vpn" will make the normal ACL have effect on the site to site vpn? and on a side note doesnt this command "sysopt permit-vpn" only permit any traffic incoming from the remote site to my site? and it doesnt permit or bypass traffic from my side to the remote side?

Rob Ingram · ‎12-14-2021

@baselzind when you define the command "no sysopt connection permit-vpn" this means all VPN traffic must be explictly permitted via the interface ACL. When the command "sysopt connection permit-vpn" is configured (which is default) then all VPN traffic bypasses the interface ACLs and would be permitted.

Group policy and per-user authorization access lists still apply to the traffic when "sysopt connection permit-vpn" is configured.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

baselzind · ‎12-14-2021

so let us say my local network is 192.168.1.0/24 and the remote site network is 192.168.2.0/24 , if I use "sysopt connection permit-vpn" then traffic from 192.168.1.0/24 to 192.168.2.0/24 is allowed and traffic from 192.168.2.0/24 to 192.168.1.0/24 is also allowed? or only traffic from 92.168.2.0/24 to 192.168.1.0/24 is allowed?

Marvin Rhoads · ‎12-14-2021

The post-decryption traffic returning from (or originated from) the remote network will appear to originate from your inside interface. So as long as you don't have an outbound ACL applied to it (very uncommon), that traffic will be allowed whether or not the sysopt option is on.

baselzind · ‎12-14-2021

sorry but your explanation confused me even more, if you can go along with me with my example, if my asa have two general acl and

local network is 192.168.1.0/24 and the remote site network is 192.168.2.0/24

source interface: inside and destination interface: outside , source network:any , destination network:any action:deny

and

source interface: outside and destination interface: inside source network:any , destination network:any action:deny

if I have "sysopt connection permit-vpn" enabled would traffic from 192.168.1.0/24 to 192.168.2.0/24 be allowed and traffic from 192.168.2.0/24 to 192.168.1.0/24 also be allowed?

baselzind · ‎01-12-2022

please can any expert explain it because i cant I'm having a lot of trouble tshoot site to site vpn without understanding what acl controls it

Marvin Rhoads · ‎01-13-2022

With "sysopt connection premit-vpn", the VPN's IPsec security associations control waht traffic is allowed, not any ACL applied to the interfaces. So in your question from 12-15-2021, the answer is yes.

MHM Cisco World · ‎12-13-2021

follow