cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
744
Views
0
Helpful
6
Replies

IPSEC thru ASA 7.x

Topology: Router1 <->(outside)ASA(inside) <-> Router2

IPSEC tunnel from Router1 to Router2

with the routers being the IPSec Endpoints, do i need to explicitly permit ESP & ISAKMP on both the inside and outside interfaces in the inward direction of the ASA ?

or will it be enough to permit ESP & ISAKMP just on the outside interface with the firewall taking care of the return traffic with inpsection ??

1 Accepted Solution

Accepted Solutions

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

View solution in original post

6 Replies 6

srue
Level 7
Level 7

do you have any other ACL's on your ASA besides an inbound ACL on your outside interface?

on your inbound ACL on the outside interface of the ASA, you need to permit udp/500 and esp.

you could also use ipsec-pass-thru.

are you having problems bringing the tunnel up?

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq www

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq https

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq 500

access-group inside in interface inside

access-group outside in interface outside

In this scenario, do i need to explicitly permit esp from inside to outside for the tunnel to get established from R1 to R2.

Thanks,

Vikram

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

I believe the same config ( after your line additions) would hold good when vpn is being initiated from R2 to R1 , Is that correct ?

One Last Question :

access-list inside extended permit ip any any

will it take care of everything ( including esp and isakmp) ?

it will not take care of esp.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: