ASA to Router VPN Access lists

Unanswered Question
Jul 26th, 2007
User Badges:

Hi, I have an issue tying down ports on an ipsec vpn between an asa5510 and a 1801 router. I can get the tunnel up no problem with allowing ip traffic but when I try to tie it down it all goes wrong.

I would appreciate any help on this. I am trying just to allow tcp: http,https and ftp and ICMP also.

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bbaley Wed, 08/01/2007 - 10:10
User Badges:

You need to configure an access list . Here is an example access-list 100 permit udp any host eq isakmp

purohit_810 Wed, 08/01/2007 - 12:08
User Badges:
  • Silver, 250 points or more

To allow all the protocols:

object-group service TCP tcp

port-object eq telnet

port-object eq www

port-object eq ftp-data

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq citrix-ica

port-object eq 3389

port-object eq 8080

port-object eq ssh

port-object eq 7070

port-object eq 6080

port-object eq rtsp

port-object eq 8200

port-object eq 2097

port-object eq 5012

port-object eq 990

object-group service UDP udp

port-object eq echo

port-object eq www

port-object eq domain

port-object eq isakmp

port-object eq 4500

port-object eq 10000

access-list 102 extended permit udp any any object-group UDP

access-list 102 extended permit tcp any any object-group TCP

access-list 102 extended permit esp any any


Dharmesh Purohit

ciaran1977 Thu, 08/02/2007 - 01:24
User Badges:

Thanks for the responce Dharmesh. But you can only use object-goups on the asa, on the router (1801) you can not define object-groups. When you try to mix object groups (on the asa) with access lists (on the router) I cannot get the tunnel up.

Any help would be appreciated.

michaeltedeschi Mon, 08/06/2007 - 19:58
User Badges:

On your router you need an acl like so in your outside int acl

access-list 105 permit ahp host remote ip host local ip

access-list 105 permit esp host remote ip host local ip

access-list 105 permit udp host remote ip host local ip eq isakmp

access-list 105 permit udp host remote ip host local ip eq non500-isakmp

access-list 105 permit ip remote internal network local internal network


This Discussion