Oct 06

Configuring IPsec or SSL VPN to Bypass ACLs

To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source
and destination interfaces, enter the sysopt connection permit-vpn command in global configuration

You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN
concentrator behind the ASA and want to maximize the ASA performance. Typically, you create an ACL
that permits IPsec or SSL VPN packets using the access-list command and apply it to the source
interface. Using an ACL is more secure because you can specify the exact traffic you want to allow
through the ASA.

The syntax is sysopt connection permit-vpn. The command has no keywords or arguments.
The following example enables IPsec or SSL VPN traffic through the ASA without checking ACLs:

hostname(config)# sysopt connection permit-vpn

Follow me!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>