Firewall ACL Rules on ASAs

Unanswered Question
May 20th, 2008

Has anybody figured out, or found an accurate document, on how to configure the interface Firewall ACL's on an ASA which is accepting VPN tunnels.

I'm still not certain whether there is a need to permit IPSec, etc. against the external i/f incoming ACL, etc...?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jon Marshall Tue, 05/20/2008 - 12:42

Routers yes you need to add the ports.

Pix firewalls no you don't need to add the ports.

I learnt the above 2 from some painful experimenting :-)

I'm assuming the ASA follows the Pix example.


vabruno Tue, 05/20/2008 - 18:41

Jon is correct on an ASA you only have to enavle IPSec on the interface you are terminating your tunnels on and no other ACL's needed. On the Cisco Concentrators and Cisco routers you do need an acl for this traffic but no needed on the ASA & PIX

8c-stone Wed, 05/21/2008 - 05:53

Thanks Guys...However, I have configured ACLs on the ASA, incoming on the external interface, for other reasons.

As there is an Implicit deny any attached to it, is it therefore required in this case? Or does the VPN Tunnel configuration over-ride the incoming Firewall ACLs. I'm asking because I have experienced odd behaviour, so I'm just not sure what exactly is required...?


This Discussion