Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
1
Replies

Cisco ASA VPN filter mechanisms

roesch4alc
Level 1
Level 1

‎12-11-2015 03:05 AM

Hello all,

I´ve got a question regarding the filtering of vpn traffic on a Cisco ASA. My Configuration looks like that:

1.) sysopt permit vpn is active (default value)

2.) User VPN is configured with filter acl´s / group based


Everything is working as expected, but I would like to reduze my ruleset size/complexity. I want to establish access rules, that should be applied to any vpn connection, that is configured. This global rules should contain certain types of icmp messages and dns lookups for example (any client needs this). So with my current config, I only can add the the same ace´s to every single filter-acl, right?

In my opinion thats much work and also creates to much configuration. I would like to simply create two rules, that are valid for every vpn.

In my opionion I would have to issue the command "no sysopt connection permit-vpn". Of course all the necessary acl´s have to be created prior to that and need to be bound to the correct interfaces. After that the filter-acl´s would still be applied, but the acl´s on the interfaces would also match. Then I could create my acl´s for icmp messages and dns lookups on the interface where the vpn´s are connected to and they would work for any connection.

My thoughts are according to this site http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118029-configure-asa-00.html

What do you think, am I on the right way or are there other simple possibilities without using "no sysopt connection permit-vpn" ?

Best Regards

Sebastian

Labels:
0 Helpful
1 Reply 1

mrsethi
Cisco Employee
Cisco Employee

‎12-11-2015 11:47 PM

Hi,

Going through your query, as i understand that you wish to reduce the complexity of applying the ACL for the vpn's.

>>You wish to apply single rules for all the vpn's.

>>You can use tVPN-Filter under the group policy and use the same group-policy for all the vpn's.

>>I would not suggest to disable the option "sysopt permit-vpn" as after this you have to configure multiple ACL's to allow vpn traffic on the outside interface.

>>The above option by default trust the VPN traffic and allows through the outside interface.

I hope the above answers your query.

Regards,

Mrutunjay Sethi

0 Helpful
Customers Also Viewed These Support Documents