Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
6
Replies

ASA Site-to-Site VPN | Do you need an inbound ACL on WAN Interfacee

Go to solution
enzo99
Level 1
Level 1

‎05-23-2025 12:15 AM

Hello guys, 

I've recently started a job where ASAs are used as the main firewalls. 
I am currently struggling with the VPN S2S concepts and would like some clarification.

Site 1:
Private Subnet: 192.168.1.0/24
WAN IP FW: 1.1.1.1

Site2:
Private Subnet: 192.168.2.0/24
WAN IP FW: 2.2.2.2

When I read all the config guides and documentation, you need to configure a crypto acl which highlights "interesting traffic". In the case above permit 192.168.1.0 0.0.0.255 192.168.2.0 (vice versa on the other FW)

For some strange reason we have an inbound ACL applied to our WAN-Interface (1.1.1.1) which permits traffic from 2.2.2.2.
From my understanding you do not need that ACL, my senior colleagues told me that it would be necessary for Phase 1 traffic exchange. I am now confused and unsure, could you help me sort this out?

Best regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to enzo99

‎05-23-2025 03:09 AM - edited ‎05-23-2025 03:10 AM

@enzo99 the "sysopt connection permit-vpn" command in global configuration mode is used to allow the traffic to bypass interface access lists. If you don't have that command configured then you'd need to explicitly permit the traffic in an ACL.

It sounds like the other ACL (traffic to/from the public IP address) is redundant, I would need to see it to confirm.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎05-23-2025 12:42 AM - edited ‎05-23-2025 02:05 AM

@enzo99 if using a policy based VPN, then you need need to configure the crypto ACL define the interesting traffic to be encrypted and tunneled over the VPN.

Is it a control plane ACL on the ASA? That could be used to permit the establishment of the VPN from the peer IP address (2.2.2.2) to your ASA. You don't necessarily need that ACL (it's optional), but it is probably there to restrict only known IP addresses from communicating with the ASA and attempting to establish a VPN. If it's on the outside interface, inbound to the ASA's IP address then it would have no effect for traffic "to" the ASA itself to control establishment of the VPN. Normal interface ACLs restrict traffic "through" the ASA.

0 Helpful

Go to solution
Network Diver
Level 3
Level 3

‎05-23-2025 02:01 AM

If "sysopt connection permit-vpn" is set on the ASA, then VPN tunnel policy overrides the interface access-list.

0 Helpful

Go to solution
enzo99
Level 1
Level 1

‎05-23-2025 02:51 AM

Another question,

would I still need an ACL on the outside interface which permits the interesting traffic that is highlighted in the crypto ACL or is the traffic mentioned in the crypto acl allowed by default?

Best regards

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to enzo99

‎05-23-2025 02:59 AM - edited ‎05-23-2025 03:01 AM

@enzo99 the command "sysopt connection permit-vpn" mentioned by @Network Diver would override the interface ACL for VPN traffic, so no you would not. Also, that command is enabled by default.

In regard to the original question, is the ACL a control plane ACL or just a normal interface ACL?

0 Helpful

Go to solution
enzo99
Level 1
Level 1
In response to Rob Ingram

‎05-23-2025 03:05 AM

Sorry if im asking redudandtly but I'm new to ASAs. Once the data has been sent over the tunnel and has been successfully decrypted you do need an extra ACL on the outside interface inbound unless the command "sysopt connection permit-vpn" is configured. If the command is configured globally i could omit the ACL?

The other ACL is just a normal ACL.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to enzo99

‎05-23-2025 03:09 AM - edited ‎05-23-2025 03:10 AM

@enzo99 the "sysopt connection permit-vpn" command in global configuration mode is used to allow the traffic to bypass interface access lists. If you don't have that command configured then you'd need to explicitly permit the traffic in an ACL.

It sounds like the other ACL (traffic to/from the public IP address) is redundant, I would need to see it to confirm.

0 Helpful
Customers Also Viewed These Support Documents