Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
1
Replies

IPsec tunnel configuration and interface ACLs

eliezermedved
Level 1
Level 1

‎11-24-2014 07:51 AM - edited ‎02-21-2020 07:56 PM

Hi ,

 

I define IPsec tunnel by "crypto map" on outside interface .

"vpn_acl" assinged to this crypto map and define the traffic that I want to encrypt .

I don't understand if I have to add access-list on inbound interface inside that permit this traffic .

 

I see in documentation : "The crypto access list does not determine whether to permit or deny traffic through the interface. An
access list applied directly to the interface with the access-group command makes that determination."

But on the other hand I don't see in examples for IPsec tunnel configuration any step for defination of inbound interface ACL .

 

I understand that "sysopt connection permit-vpn" command is relevant only to traffic that arrive from the tunnel , am I right ?

 

Thank you .

Eliezer .

 

Labels:
0 Helpful
1 Reply 1

David Johan Castro Fernandez
Level 3
Level 3

‎11-27-2014 01:53 PM

Hello Eliezer,

 

You are right you will need to do something like this:

 

192.168.1.0/24 Inside ASA1 <--------------->ASA2 inside 172.16.1.0/24 
ASA1:
access-list INSIDE_IN permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0		 
access-group INSIDE_IN in interface inside
 

 

ASA2:
access-list INSIDE_IN permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

 
access-group INSIDE_IN in interface inside

 

 

sysopt connection permit-vpn

 

To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

 

You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN concentrator behind the ASA and want to maximize the ASA performance. Typically, you create an ACL that permits IPsec or SSL VPN packets using the access-list command and apply it to the source interface. Using an ACL is more secure because you can specify the exact traffic you want to allow through the ASA.

 

Let me know this works out!

 

Please don't forget to rate and mark as correct the helpful post!

 

David Castro,

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents