Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
2
Replies

FPR2110 ASA Code outside access list denies tunneled traffic.

Go to solution
Garry Cross
Level 1
Level 1

‎09-29-2021 04:49 PM

This is the first time configuring a VPN L2L between an FPR2110 running ASA software and another real ASA.

We found that the outside access list was denying the tunneled traffic.

We needed to add permit ip 172.16.0.0 255.255.0.0 any to the ACL in order for communication to work.

 

Cisco Adaptive Security Appliance Software Version 9.10(1) <context>
Firepower Extensible Operating System Version 2.4(1.103)

 

I can't imagine that this is working as designed.

 

Thanks for any insight.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2021 12:28 AM

@Garry Cross 

To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-params.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2021 12:28 AM

@Garry Cross 

To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-params.html

0 Helpful

Go to solution
Garry Cross
Level 1
Level 1
In response to Rob Ingram

‎09-30-2021 05:30 AM

Thank you. It would appear someone configured the no form of that command.

 

act# show run | inc sysopt
no sysopt connection permit-vpn

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents