Sysopt and vpn-filter

I cureent have anyconnect and ipsec vpn tunnels enabled on my cisco asa, does this sysopt connection permit-vpn command affects all tunnels on a global level. How does it differ on vpn-filter command applied on the group policy of anyconnect

Hello Venus

As described in this Cisco command reference:

For traffic that enters the ASA through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

Now this is applied to global configuration mode, so it applies to all tunnels globally. However, group policy and per-user authorization access lists still apply to the traffic.

How does this differ from using a vpn-fliter? The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists, while a vpn-filter is applied to postdecrypted traffic after it exits a tunnel and to preencrypted traffic before it enters a tunnel.

Using the sysopt connection permit-vpn command is useful in situations where you might want to bypass interface ACLs for IPsec traffic if you use a separate VPN concentrator behind the ASA and want to maximize the ASA performance. More info on why and when this feature should be used can be found here:

I hope this has been helpful!

Laz