Sysopt Connection Permit-VPN & ACL Order of Operation

andy.winford · ‎08-11-2011

I have always understood that by default sysopt connection permit-vpn was enabled by default on ASA 7.2 and above and therefore by default exempted traffic flow between hosts in the crypto ACL from having to be parsed against your ingress or egress ACLs. However today I was working on an issue where the internal hosts have an ACL applied to the inside interface with an any-any rule that restricts traffic outbound to the internet but only on specific ports defined in a service based object group. My site-to-site tunnel was working as it should except I could not get hosts defined in my crypto ACL to talk to each other on a specific port. That is when I found the aforementioned rule, added my ports to the object-group, and I was able to communicate as expected. I never looked at any rules because I knew sysopt connection permit-vpn was enabled. So it appears that there is an order to this madness that I don’t understand and while sysopt connection permit-vpn bypasses host to host communication, another ACL can block the traffic. Can someone break this down for me? Thanks…

Todd Pula · ‎08-11-2011

My understanding in practical use is that with the feature enabled, you do not need to explicitly permit the VPN related protocols in an inbound ACL (ie. Internet->Outside). Additionally, you do not need to explicitly permit decrypted traffic from the VPN in an outbound ACL on the LAN. Traffic that is sourced from an inside host to a remote VPN host will be processed by the inbound ACL before it is matched against the crypto ACL which is why you need to explicitly permit the traffic. The 8.3/8.4 command reference discusses this better than previous iterations.

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/s8.html#wp1567918

Todd