Showing results for 
Search instead for 
Did you mean: 
Marcus Hunold

sysopt connection permit-vpn vs. default inspection service policies

sysopt connection permit-vpn


default inspection service policies


ASA 9.5(2)-10 for AnyConnect SSL-VPN

sysopt connection permit-vpn*

Outside interface - deny ip any any

Inside interface - permit any less secure networks

All VPN users are permitted to access ip any except some users who get a VPN-Filter to their VPN session (controlled via ACS).

default inspection service policies active


Does it makes sense to disable "default inspection service policies"?

I cannot see really benefits for the feature in that scenario but it takes ressources.

Please only answers with explanation and don't poste generic links to configuration guides of the ASA - I have them already.

*The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

Aditya Ganjoo
Cisco Employee

Hi Marcus,

Default inspection has no relation with sysopt connection permit-vpn command.

If you disable the inspection policies it should have no impact on the Anyconnect working but yes it may impact the other services depending on the traffic passing through the ASA.



Please rate helpful posts and mark correct answers.

Hi Aditya, thank you for your answer.

Maybe my initial text is not detailed enough - the ASA is used for SSL-VPN traffic only.

There is no other traffic than the SSL-VPN sessions.

So does it make sense to disable default inspection service policies, maybe there is an official recommendation from Cisco? I am right with my view that the default inspection service policies have no benefits in my scenario?

Hi Marcus,

Yes you are correct.

In your case if only SSL VPN traffic is passing on the ASA you can go ahead and disable the default inspection policies.

But it also depends on what traffic is passing on the SSL VPN tunnel.

So lets say you are using FTP, ICMP or SIP traffic on the Anyconnect tunnel you would need the inspection to make sure the traffic is inspected.

So to makes things clear,ASA can inspect traffic prior encryption or post-decryption but ASA cannot inspect encrypted traffic.

This means that if the VPN tunnel/SSL VPN terminates on the ASA, ASA could inspect the traffic sent through the tunnel prior encryption and could inspect the traffic post-decryption when received.

If the tunnel does not terminate on the ASA but instead passes through the ASA, the ASA cannot inspect the traffic encapsulated inside.



Please rate helpful posts and mark correct answers.

Content for Community-Ad