CHAPT ER
66-1
Cisco ASA 5500 Series Configuration Guide using the CLI
66
Setting General VPN Parameters
The ASA implementation of virtual private networking includes useful features that do not fit neatly into
categories. This chapter describes some of these features. It includes the following sections:
Configuring VPNs in Single, Routed Mode, page66-1
Configuring IPsec to Bypass ACLs, page66-1
Permitting Intra-Interface Traffic (Hairpinning), page66-2
Setting Maximum Active IPsec or SSL VPN Sessions, page66-3
Using Client Update to Ensure Acceptable IPsec Client Revision Levels, page66-4
Understanding Load Balancing, page 66-6
Configuring Load Balancing, page66-11
Configuring VPN Session Limits, page66-16
Note SSL VPN in this chapter refers to the SSL VPN client (AnyConnect 2.x or its predecessor, SVC 1.x),
unless clientless (browser-based) SSL VPN is specified.

Configuring VPNs in Single, Routed Mode

VPNs work only in single, routed mode. VPN functionality is unavailable in configurations that include
either security contexts, also referred to as multimode firewall, or Active/Active stateful failover.
The exception to this caveat is that you can configure and use one connection for administrative purposes
to (not through) the ASA in transparent mode.

Configuring IPsec to Bypass ACLs

To permit any packets that come from an IPsec tunnel without checking ACLs for the source and
destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.
You might want to bypass interface ACLs for IPsec traffic if you use a separate VPN concentrator behind
the ASA and want to maximize the ASA performance. Typically, you create an ACL that permits IPsec
packets by using the access-list command and apply it to the source interface. Using an ACL is more
secure because you can specify the exact traffic you want to allow through the ASA.
The syntax is sysopt connection permit-vpn. The command has no keywords or arguments.