08-20-2013 05:04 PM
We are setting up a VPN tunnel with a vendor and I want to only allow Pings, and one specific port. I thought you could do that through the crypto map on the ASA 5510 but it looks like it has to allow all IP traffic and then you filter out using a VPN Filter? Which requires changing the default sysopt setting. Do I have that right? Am I overthinking this? Normally my VPN tunnels are to other company places which I want all IP traffic.
Thanks!
Solved! Go to Solution.
08-21-2013 09:08 AM
Hi,
No, they are not directly related to eachother.
You can use VPN Filter without touching the "sysopt" configuration.
Rather than configuring separate ACLs (which use different logic in the format) for each VPN I prefer to just set the "no sysopt connection permit-vpn" and filter inbound connections coming through the VPN connections on the "outside" interface ACL just like any traffic coming from behind "outside" interface.
Here is link to information about the "sysopt" command
http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
08-20-2013 11:58 PM
Hi,
There are 2 usual options
I personally prefer the "no sysopt connection permit-vpn" setting. It essentially tells the ASA to treat inbound traffic from VPN connection like any other traffic and not allow it automatically.
You say that you have existing VPN connections that serve your own company only. While it can cause problems, there should be a rather easy way to prevent it before changing the setting.
You could for example do the following
The above should enable you to first allow the traffic from your own VPN networks before changing the global setting mentioned earlier. Now when you change the global setting and a new connection arrives from your own VPN network, it will be matched against the "outside" interface ACL and will be allowed.
But naturally, if you prefer VPN Filter ACL yourself then thats an option also. The L2L VPN filter ACL just uses slightly different ordering of source/destination parameters and thats why I prefer to use the global setting mentioned above as it permits me to use the "outside" interface to control the VPN traffic also and keep the same logic with all my other ACLs.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
08-21-2013 09:01 AM
Thanks Jouni this is really helpful! But I thought to use the vpn-filter you had to change the global sys setting? Is that incorrect?
08-21-2013 09:08 AM
Hi,
No, they are not directly related to eachother.
You can use VPN Filter without touching the "sysopt" configuration.
Rather than configuring separate ACLs (which use different logic in the format) for each VPN I prefer to just set the "no sysopt connection permit-vpn" and filter inbound connections coming through the VPN connections on the "outside" interface ACL just like any traffic coming from behind "outside" interface.
Here is link to information about the "sysopt" command
http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1567918
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
08-22-2013 02:03 PM
Thanks Jouni. That was very helpful and I accomplished what I wanted to!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide