05-16-2013 01:48 AM
Hi all
can anyone tell me how the vpn filter works on the ASA, Also I have ticked the box that says bypass interface access lists, however the inside to outside access list on my interface is blocking the vpn traffic going out. I thought the tick box would make it not use the interface access lists ?
please help
Carl
05-16-2013 02:02 AM
Hi,
The "Bypass" function which is configured with "sysopt connection permit-vpn" essentially applys only to the interface which is forms the VPN connection. And in that case it only applies to inbound direction. If you happen to have an "out" direction attached interface ACL then I would imagine that is not affected by the "Bypass" configuration you have.
Also naturally if you have some deny rules on the "inside" ACL then those wont be overrided by the "Bypass" function.
To my understanding the VPN Filter ACL is a bit more complext in its use.
It to my understanding applies to both "outbound" and "inbound" traffic. Also the VPN Filter ACL for L2L VPN always holds the remote network as the "source" network in the ACL rule. This can cause some confusion when building rules.
I think the "packet-tracer" will easily tell if the traffic is either blocked by an ACL or a VPN Filter ACL. I think the block caused by VPN Filter ACL was told only at the very end of the output while ACL block is told in a separate ACL Phase.
- Jouni
05-16-2013 05:03 AM
so are you saying if I have an access applied to my inside interface, then this will override the "bypass" config for the vpn ?
05-16-2013 05:57 AM
Hi,
The "sysopt connection permit-vpn" applys only to the interface ACL of the VPN. So basically the "outside" interface. And this applys only for inbound direction.
So its possible that an outbound ACL attached to "outside" can block connections. Also naturally inbound ACL attached to "inside" can block connections to a L2L VPN since this ACL would block connections before it could even reach the VPN phase.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide