cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
317
Views
0
Helpful
1
Replies

Cisco ASA VPN filter mechanisms

roesch4alc
Level 1
Level 1

Hello all,

I´ve got a question regarding the filtering of vpn traffic on a Cisco ASA. My Configuration looks like that:

1.) sysopt permit vpn is active (default value)

2.) User VPN is configured with filter acl´s / group based


Everything is working as expected, but I would like to reduze my ruleset size/complexity. I want to establish access rules, that should be applied to any vpn connection, that is configured. This global rules should contain certain types of icmp messages and dns lookups for example (any client needs this). So with my current config, I only can add the the same ace´s to every single filter-acl, right?

In my opinion thats much work and also creates to much configuration. I would like to simply create two rules, that are valid for every vpn.

In my opionion I would have to issue the command "no sysopt connection permit-vpn". Of course all the necessary acl´s have to be created prior to that and need to be bound to the correct interfaces. After that the filter-acl´s would still be applied, but the acl´s on the interfaces would also match. Then I could create my acl´s for icmp messages and dns lookups on the interface where the vpn´s are connected to and they would work for any connection.

My thoughts are according to this site http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118029-configure-asa-00.html

What do you think, am I on the right way or are there other simple possibilities without using "no sysopt connection permit-vpn" ?

Best Regards

Sebastian

1 Reply 1

mrsethi
Cisco Employee
Cisco Employee

Hi,

Going through your query, as i understand that you wish to reduce the complexity of applying the ACL for the vpn's.

>>You wish to apply single rules for all the vpn's.

>>You can use tVPN-Filter under the group policy and use the same group-policy for all the vpn's.

>>I would not suggest to disable the option "sysopt permit-vpn" as after this you have to configure multiple ACL's to allow vpn traffic on the outside interface.

>>The above option by default trust the VPN traffic and allows through the outside interface.

I hope the above answers your query.

Regards,

Mrutunjay Sethi