05-20-2008 06:59 AM
Has anybody figured out, or found an accurate document, on how to configure the interface Firewall ACL's on an ASA which is accepting VPN tunnels.
I'm still not certain whether there is a need to permit IPSec, etc. against the external i/f incoming ACL, etc...?
05-20-2008 12:42 PM
Routers yes you need to add the ports.
Pix firewalls no you don't need to add the ports.
I learnt the above 2 from some painful experimenting :-)
I'm assuming the ASA follows the Pix example.
Jon
05-20-2008 06:41 PM
Jon is correct on an ASA you only have to enavle IPSec on the interface you are terminating your tunnels on and no other ACL's needed. On the Cisco Concentrators and Cisco routers you do need an acl for this traffic but no needed on the ASA & PIX
05-21-2008 05:53 AM
Thanks Guys...However, I have configured ACLs on the ASA, incoming on the external interface, for other reasons.
As there is an Implicit deny any attached to it, is it therefore required in this case? Or does the VPN Tunnel configuration over-ride the incoming Firewall ACLs. I'm asking because I have experienced odd behaviour, so I'm just not sure what exactly is required...?
05-22-2008 03:51 AM
Hi,
Are you experiencing the same problem?
Note that if the VPN ACL is above INTERFACE ACL, the VPN works.
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide