vpn traffic and security acls

Answered Question
Apr 17th, 2007

I'm using a PIX 515 with ASA 7.2. I have a couple tunnels and remote access setup. The same PIX is used as a firewall between the inside users and the Internet. I'm pretty sure there is a setting for remote access vpn connections to be exempt from an ACLs, but am not sure how it works for site to site tunnels. I recently implemented an ACL on my inside interface and as a precaution created an ACL that included the statement access-list inside_access_in permit ip any 10.4.1.0 255.255.255.0

I have 2 questions, do I need that statement to allow traffic to flow from the networks connected to the inside interface of my firewall (any) to the remote end of the site 2 site tunnel (10.4.1.0/24) and I thought including ip in your ACL meant any and all traffic, but in the syslog server I see certain UDP traffic being blocked. Could anyone clarify how this works for me?

thank you,

Bill

I have this problem too.
0 votes
Correct Answer by Kamal Malhotra about 9 years 7 months ago

Hi Bill,

The ACL statements are checked sequentially so if the UDP is denied before the IP is permitted then you'll see those messages. I'm not sure how your PIX is configured but if there is an ACL bound with the inside interface then we have to permit the VPN traffic and also need to make sure the NAT bypass is configured for such traffic.

HTH,

Please rate if it helps.

Regards,

Kamal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kamal Malhotra Tue, 04/17/2007 - 05:48

Hi Bill,

The ACL statements are checked sequentially so if the UDP is denied before the IP is permitted then you'll see those messages. I'm not sure how your PIX is configured but if there is an ACL bound with the inside interface then we have to permit the VPN traffic and also need to make sure the NAT bypass is configured for such traffic.

HTH,

Please rate if it helps.

Regards,

Kamal

WILLIAM STEGMAN Tue, 04/17/2007 - 07:30

so when using ip in your acl, udp is covered? Yes, there is an ACL bound on the inside interface, so thank you, that helps clear it up.

Actions

This Discussion