Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
3
Replies

vpn filter and access lists for site to site tunnels

carl_townshend
Spotlight
Spotlight

‎05-16-2013 01:48 AM

Hi all

can anyone tell me how the vpn filter works on the ASA, Also I have ticked the box that says bypass interface access lists, however the inside to outside access list on my interface is blocking the vpn traffic going out. I thought the tick box would make it not use the interface access lists ?

please help

Carl

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎05-16-2013 02:02 AM

Hi,

The "Bypass" function which is configured with "sysopt connection permit-vpn" essentially applys only to the interface which is forms the VPN connection. And in that case it only applies to inbound direction. If you happen to have an "out" direction attached interface ACL then I would imagine that is not affected by the "Bypass" configuration you have.

Also naturally if you have some deny rules on the "inside" ACL then those wont be overrided by the "Bypass" function.

To my understanding the VPN Filter ACL is a bit more complext in its use.

It to my understanding applies to both "outbound" and "inbound" traffic. Also the VPN Filter ACL for L2L VPN always holds the remote network as the "source" network in the ACL rule. This can cause some confusion when building rules.

I think the "packet-tracer" will easily tell if the traffic is either blocked by an ACL or a VPN Filter ACL. I think the block caused by VPN Filter ACL was told only at the very end of the output while ACL block is told in a separate ACL Phase.

- Jouni

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Jouni Forss

‎05-16-2013 05:03 AM

so are you saying if I have an access applied to my inside interface, then this will override the "bypass" config for the vpn ?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to carl_townshend

‎05-16-2013 05:57 AM

Hi,

The "sysopt connection permit-vpn" applys only to the interface ACL of the VPN. So basically the "outside" interface. And this applys only for inbound direction.

So its possible that an outbound ACL attached to "outside" can block connections. Also naturally inbound ACL attached to "inside" can block connections to a L2L VPN since this ACL would block connections before it could even reach the VPN phase.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents