IPSEC thru ASA 7.x

Answered Question
May 8th, 2008
User Badges:
  • Bronze, 100 points or more

Topology: Router1 <->(outside)ASA(inside) <-> Router2


IPSEC tunnel from Router1 to Router2


with the routers being the IPSec Endpoints, do i need to explicitly permit ESP & ISAKMP on both the inside and outside interfaces in the inward direction of the ASA ?


or will it be enough to permit ESP & ISAKMP just on the outside interface with the firewall taking care of the return traffic with inpsection ??

Correct Answer by srue about 9 years 2 months ago

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Thu, 05/08/2008 - 11:23
User Badges:
  • Blue, 1500 points or more

do you have any other ACL's on your ASA besides an inbound ACL on your outside interface?

on your inbound ACL on the outside interface of the ASA, you need to permit udp/500 and esp.

you could also use ipsec-pass-thru.

are you having problems bringing the tunnel up?

vikram_anumukonda Thu, 05/08/2008 - 17:11
User Badges:
  • Bronze, 100 points or more

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq www

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq https


access-list outside extended permit esp any any

access-list outside extended permit udp any any eq 500


access-group inside in interface inside

access-group outside in interface outside


In this scenario, do i need to explicitly permit esp from inside to outside for the tunnel to get established from R1 to R2.


Thanks,

Vikram

Correct Answer
srue Thu, 05/08/2008 - 18:10
User Badges:
  • Blue, 1500 points or more

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

vikram_anumukonda Thu, 05/08/2008 - 20:32
User Badges:
  • Bronze, 100 points or more

I believe the same config ( after your line additions) would hold good when vpn is being initiated from R2 to R1 , Is that correct ?

vikram_anumukonda Fri, 05/09/2008 - 00:32
User Badges:
  • Bronze, 100 points or more

One Last Question :

access-list inside extended permit ip any any

will it take care of everything ( including esp and isakmp) ?

srue Sun, 05/11/2008 - 08:43
User Badges:
  • Blue, 1500 points or more

it will not take care of esp.

Actions

This Discussion