05-08-2008 08:27 AM - edited 02-21-2020 03:43 PM
Topology: Router1 <->(outside)ASA(inside) <-> Router2
IPSEC tunnel from Router1 to Router2
with the routers being the IPSec Endpoints, do i need to explicitly permit ESP & ISAKMP on both the inside and outside interfaces in the inward direction of the ASA ?
or will it be enough to permit ESP & ISAKMP just on the outside interface with the firewall taking care of the return traffic with inpsection ??
Solved! Go to Solution.
05-08-2008 06:10 PM
yes, if the vpn might be initiated from the router1 side.
add the following:
access-list inside extended permit esp any any
access-list inside extended permit udp any any eq 500
05-08-2008 11:23 AM
do you have any other ACL's on your ASA besides an inbound ACL on your outside interface?
on your inbound ACL on the outside interface of the ASA, you need to permit udp/500 and esp.
you could also use ipsec-pass-thru.
are you having problems bringing the tunnel up?
05-08-2008 05:11 PM
access-list inside extended permit tcp host a.b.c.d gt 1023 any eq www
access-list inside extended permit tcp host a.b.c.d gt 1023 any eq https
access-list outside extended permit esp any any
access-list outside extended permit udp any any eq 500
access-group inside in interface inside
access-group outside in interface outside
In this scenario, do i need to explicitly permit esp from inside to outside for the tunnel to get established from R1 to R2.
Thanks,
Vikram
05-08-2008 06:10 PM
yes, if the vpn might be initiated from the router1 side.
add the following:
access-list inside extended permit esp any any
access-list inside extended permit udp any any eq 500
05-08-2008 08:32 PM
I believe the same config ( after your line additions) would hold good when vpn is being initiated from R2 to R1 , Is that correct ?
05-09-2008 12:32 AM
One Last Question :
access-list inside extended permit ip any any
will it take care of everything ( including esp and isakmp) ?
05-11-2008 08:43 AM
it will not take care of esp.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: