Also, that last line "no sysopt connection permit-vpn". You're really going to want that lol. Otherwise all internet traffic coming over your tunnel will be treated as trusted. No bueno. In other posts I've talked about using vpn-filters for L2L tunnels, but that would be a nightmare with this configuration.
Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. The default for this command is no sysopt connection permit-vpn, which means VPN traffic must also be allowed by the access control policy. Removing sysopt connection permit-vpn Solutions | Experts The difference between configuring vpn-filter and removing sysopt connection permit-vpn is that when you remove the sysopt, you add the allowed ports/hosts/etc to the ACL on the outside interface. So the vpn ACE's are in between the other ACE's for the outside. When configuring vpn-filter you separate the two. It's just what you prefer. Eight easy steps to Cisco ASA remote access setup Mar 19, 2009 VPN ON THE CISCO ASA: VPN Traffic Filtering - Intense School
Cisco ASA vpn-filter
networktraveler: sysopt connection permit-vpn Jan 05, 2013 Firepower Management Center Configuration Guide, Version 6
Mar 19, 2009
Testing AnyConnect With Packet Tracer | PeteNetLive Great article !! You may want to add a note about the outside ACL. In most cases, Anyconnect traffic is not added in the outside ACL as it is bypassed using the “sysopt connection permit-vpn” command. Packet-tracer just assumes that the packet comes in on the outside interface and does cannot differentiate it as VPN traffic. How To Build An IPSec VPN with Cisco ASAs & Overlapping You can change this behavior with the no sysopt connection permit-vpn command. Then, any inbound traffic transiting the VPN tunnel must be evaluated by the outside interface ACL. The downside is that this affects all VPN tunnel traffic, including your remote access VPN and any other VPN tunnels you might have. It also would allow access to the