06-10-2010 06:52 AM
Just need someone to verify this..
The command " sysopt connection permit-vpn" tells the ASA to allow the VPN traffic regardless of access-lists, correct?
and I can choose not to use this command and control the traffic on the outside access list?
Thanks in advance!
Solved! Go to Solution.
10-16-2013 01:03 PM
Hello Guys,
One simple question.
When i disable the command "sysopt connection permit-vpn" the negociation traffic(acl exchange over the Firewalls) in phase two of vpn continue to be negotiated using the crypto map configuration?
The only difference is when i disable this command i need to allow this traffic in outside interface too, right?
10-16-2013 01:08 PM
Hi,
The only thing disabling this default setting of "sysopt connection permit-vpn" does is that any traffic coming through a VPN connection doesnt get a free pass through the "outside" interface ACL. It doesnt have effect on the actual VPN negotiation.
- Jouni
10-16-2013 01:19 PM
Hi Jouni.
Ok.
Thank you.
07-14-2020 12:14 PM
I know I am very late to the thread here, but does this option also bypass OUTGOING rules? I ask because I recently implemented some outgoing rules on our outside interface and it affected the traffic on the B2B VPN. When disabling the rule, the traffic on the B2B VPN returned to normal. Does the sysopt connection permit-vpn only apply to incoming rules?
Thank you.
11-30-2023 02:48 AM
I've been trying to use this for traffic monitoring and the ACL applied as OUTgoing in the inside interface had not a single match.
Opened a TAC case and, at the end, conclusion was that sysopt is preventing the traffic to match any ACL, regardless where are they applied.
02-29-2016 07:58 PM
Want to clarify a funny thing.
Due to some requirement, i had to configure Remote VPN on LAN Interface of Cisco ASA with in office.
so now when i connect VPN ( that is enabled on LAN interface High security Zone ), i was able to access my Low Seurity zone DMZ, Even if i had ACL on out direction on DMZ interface that was denying the traffic.
means my ACL has no effect, so when i disabled sysopt command then my ACL started blocking traffic and become in action. so its not about on which interface crypto is applied.
in my case even if crypto applied on LAN Side, and traffic wanted to go out to DMZ( Less secure ) Even then ACL was not triggering.
Its called real world functionality :D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide