Please see inline
On Wed, Apr 29, 2009 at 10:36 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
> Hi Guys,
>
> Just reading a book here, I came across this statement which I havent come
> across (at least yet). It says when IPSec tunneled traffic hits the Outside
> interface of an ASA, if you have do not have *sysopt connection
> permit-vpn*configured and decided to allow the VPN (related) traffic
> by opening up the
> Outside-IN ACL on the Outside interface, then you also NEED TO ALLOW the
> tuneled traffic through this ACL.
>
The book is 100% correct, if you don't have the sysopt connection
permit-vpn command all VPN tunnels terminated ON the firewall need to be
permitted in the interface ACL. With this command, the ACL applied on the
VPN terminating interface is not checked for encrypted traffic (terminating
on the firewall itself).
>
> In other words, these IPSec tunneled traffic will be hitting the Outside-IN
> ACL twice before traversing the ASA; the encrypted and the tunneled
> traffic.
> How true is this? Has anyone encountered this in their configuration
> endeaviours please? Could this behaviour be specific to a version of code
> ran on the ASA??
>
The "in other words" interpretation is incorrect,the author never stated
that in the first paragraph :),
with sysopt = no acl check, without sysopt = acl check ONCE.
In older IOS versions there used to be a double ACL check but not on the
finesse OS (PIX/ASA).
Regards
Farrukh
>
> Thanks in advance,
> Sadiq
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Apr 30 2009 - 12:04:48 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART