«

»

Oct 06

Configuring IPsec or SSL VPN to Bypass ACLs

Categories:

Cisco ASA/FWSM, Firewall

by admin

To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source
and destination interfaces, enter the sysopt connection permit-vpn command in global configuration
mode.

You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN
concentrator behind the ASA and want to maximize the ASA performance. Typically, you create an ACL
that permits IPsec or SSL VPN packets using the access-list command and apply it to the source
interface. Using an ACL is more secure because you can specify the exact traffic you want to allow
through the ASA.

The syntax is sysopt connection permit-vpn. The command has no keywords or arguments.
The following example enables IPsec or SSL VPN traffic through the ASA without checking ACLs:

hostname(config)# sysopt connection permit-vpn

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>