cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
254
Views
0
Helpful
0
Replies

Behaviour of "sysopt connection permit-vpn" for Anyconnect

j.a.m.e.s
Participant
Participant

All,

 

I know this command has been covered in a few places, but even after reading the documentation I'm confused about what it does.

 

When enabled, does it permit the overlay (i.e. DTLS traffic and associated TLS) from Anyconnect clients towards the ASA? Or does it mean the underlay (i.e. real user/tunneled traffic) will not be subjected to the outside interface ACL?

 

I thought the sysopt command would apply to traffic from the corporate network towards the clients as well, but unfortunately the following blocked all my underlay traffic outbound to Anyconnect clients:

sysopt connection permit-vpn
!
access-group ACL-OUTSIDE-OUT out interface outside
access-list ACL-OUTSIDE-OUT extended deny ip any any log
!

With the above config, clients can still establish DTLS sessions and access things like corporate CIFS shares, but no traffic from the internal LAN could be initiated towards the client. i.e On my corporate PC, I could not ping the VPN pool IP of an Anyconnect client.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers