Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
79400
Views
32
Helpful
20
Replies

sysopt connection permit-vpn

Go to solution
networker99
Level 1
Level 1

‎06-10-2010 06:52 AM

Just need someone to verify this..

The command " sysopt connection permit-vpn" tells the ASA to allow the VPN traffic regardless of access-lists, correct?

and I can choose not to use this command and control the traffic on the outside access list?

Thanks in advance!

Labels:
0 Helpful
20 Replies 20

Go to solution
Rafael Mendes
Level 2
Level 2
In response to athukral

‎10-16-2013 01:03 PM

Hello Guys,

One simple question.

When i disable the command "sysopt connection permit-vpn" the negociation traffic(acl exchange over the Firewalls) in phase two of vpn continue to be negotiated using the crypto map configuration?

The only difference is when i disable this command i need to allow this traffic in outside interface too, right?



0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rafael Mendes

‎10-16-2013 01:08 PM

Hi,

The only thing disabling this default setting of "sysopt connection permit-vpn" does is that any traffic coming through a VPN connection doesnt get a free pass through the "outside" interface ACL. It doesnt have effect on the actual VPN negotiation.

- Jouni

0 Helpful

Go to solution
Rafael Mendes
Level 2
Level 2
In response to Jouni Forss

‎10-16-2013 01:19 PM

Hi Jouni.

Ok.

Thank you.

0 Helpful

Go to solution
Craddockc
Level 3
Level 3
In response to Jennifer Halim

‎07-14-2020 12:14 PM

I know I am very late to the thread here, but does this option also bypass OUTGOING rules? I ask because I recently implemented some outgoing rules on our outside interface and it affected the traffic on the B2B VPN. When disabling the rule, the traffic on the B2B VPN returned to normal. Does the sysopt connection permit-vpn only apply to incoming rules?

 

Thank you.

 
 
0 Helpful

Go to solution
xolivella
Level 1
Level 1
In response to mile.ljepojevic

‎11-30-2023 02:48 AM

I've been trying to use this for traffic monitoring and the ACL applied as OUTgoing in the inside interface had not a single match.
Opened a TAC case and, at the end, conclusion was that sysopt is preventing the traffic to match any ACL, regardless where are they applied.

0 Helpful

Go to solution
ahmad82pkn
Level 2
Level 2

‎02-29-2016 07:58 PM

Want to clarify a funny thing.

Due to some requirement, i had to configure Remote VPN on LAN Interface of Cisco ASA with in office.

so now when i connect VPN ( that is enabled on LAN interface High security Zone ), i was able to access my Low Seurity zone DMZ, Even if i had ACL on out direction on DMZ interface that was denying the traffic.

means my ACL has no effect, so when i disabled sysopt command then my ACL started blocking traffic and become in action. so its not about on which interface crypto is applied.

in my case even if crypto applied on LAN Side, and traffic wanted to go out to DMZ( Less secure ) Even then ACL was not triggering.

Its called real world functionality :D

0 Helpful
Customers Also Viewed These Support Documents