IPSEC thru ASA 7.x

Answered Question
May 8th, 2008

Topology: Router1 <->(outside)ASA(inside) <-> Router2

IPSEC tunnel from Router1 to Router2

with the routers being the IPSec Endpoints, do i need to explicitly permit ESP & ISAKMP on both the inside and outside interfaces in the inward direction of the ASA ?

or will it be enough to permit ESP & ISAKMP just on the outside interface with the firewall taking care of the return traffic with inpsection ??

I have this problem too.
0 votes
Correct Answer by srue about 8 years 6 months ago

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Thu, 05/08/2008 - 11:23

do you have any other ACL's on your ASA besides an inbound ACL on your outside interface?

on your inbound ACL on the outside interface of the ASA, you need to permit udp/500 and esp.

you could also use ipsec-pass-thru.

are you having problems bringing the tunnel up?

vikram_anumukonda Thu, 05/08/2008 - 17:11

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq www

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq https

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq 500

access-group inside in interface inside

access-group outside in interface outside

In this scenario, do i need to explicitly permit esp from inside to outside for the tunnel to get established from R1 to R2.

Thanks,

Vikram

Correct Answer
srue Thu, 05/08/2008 - 18:10

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

vikram_anumukonda Thu, 05/08/2008 - 20:32

I believe the same config ( after your line additions) would hold good when vpn is being initiated from R2 to R1 , Is that correct ?

vikram_anumukonda Fri, 05/09/2008 - 00:32

One Last Question :

access-list inside extended permit ip any any

will it take care of everything ( including esp and isakmp) ?

Actions

This Discussion