Solved: Route Based VPN FTD

benolyndav · ‎04-17-2024

HI

We have several Policy based VPNs, I have read in a Cisco document that the sysopt permit-vpn is not supported with Route based VPN and I will need to configure access control for this, so that being said does this affect our policy based VPNs which have the Bypass access Control for Decrypted traffic (sysopt permit-vpn) box checked or will they be ok.?

Thanks

Rob Ingram · ‎04-24-2024

@benolyndav you can create a route based VPN, just create explict Access Control rules for traffic that is routed over that route-based VPN tunnel.

View solution in original post

Rob Ingram · ‎04-17-2024

@benolyndav traffic VPNs (Policy or Routed based) on FTD need to be explictly permitted in the Access Control rules.

I would not want to bypass the ACP for VPN traffic, it is better to explictly allow/deny the traffic.

benolyndav · ‎04-24-2024

Hi @Rob Ingram
Yes I agree but unfortunatley thats the way the VPNs are configured with the sysopt box checked I have wondered why myself.
Cisco's documentation as this line below , dose this mean I cant create a route based VPNs as we have sysop selected on our policy based VPNs, .??
(Note: sysopt connection permit-vpn does not work with Route Based VPN tunnels. The Access Control Rules need to be configured for both IN- OUT zones and OUT - IN zones.)

Thanks

Rob Ingram · ‎04-24-2024

@benolyndav you can create a route based VPN, just create explict Access Control rules for traffic that is routed over that route-based VPN tunnel.

MHM Cisco World · ‎04-24-2024

When you use use sysopt permit vpn it effect traffic pass through interface you enable ipsec on it'

The route-based vpn use different interface and hence not effect by sysopt (bypass).

MHM