Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
4
Replies

Access-List

Go to solution
ray_stone
Level 1
Level 1

‎06-05-2008 03:50 AM - edited ‎03-11-2019 05:55 AM

Hi, We have ASA 5505 FW in Production which is working fine but the inside NOC users connect with Miami Servers which is located at data center and we can connect those servers by using Lucent VPN client and for giving access the servers I have make a following access-list which is access-list outside_access_in_1 extended permit esp any any

Can I make the access list port based like if I open directly port 50 then will it work instead of making esp rule.

May I know that the above command is sufficient as security wise or is there any other rule we can make for allowing the IP sec traffic from outside traffic.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-05-2008 05:52 AM

Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).

However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host ' in the access-list

access-list outside_access_in_1 extended permit esp any host N.N.N.N

Assuming VPN server is behind ASA.

Regards

Farrukh

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-05-2008 05:52 AM

Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).

However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host ' in the access-list

access-list outside_access_in_1 extended permit esp any host N.N.N.N

Assuming VPN server is behind ASA.

Regards

Farrukh

0 Helpful

Go to solution
paulwhite1977
Level 1
Level 1

‎06-05-2008 08:31 AM

Hi Ray,

Really for your VPN tunnel you need to ensure that you specify the from and to groups rather than a blanket any any..

Depending on the transform sets you will also need to premit either ahp or more likely ISAKMP

access-list 101 permit upd from to eq isakmp

debugging the tunnel

show crypto ipsec sa

show crypto isakmp sa

Will reveal if the stages are passed, it may be that if you debug the first stage the ends may not have matching transforms sets which would be revealed.

0 Helpful

Go to solution
michael.leblanc
Level 4
Level 4
In response to paulwhite1977

‎06-05-2008 12:35 PM

Regarding the additional ACE suggestion:

AHP would be an alternative to ESP, but not an alternative to ISAKMP.

0 Helpful

Go to solution
michael.leblanc
Level 4
Level 4

‎06-05-2008 12:31 PM

Most of your VPN security is going to be derived from making good ISAKMP and IPSec policy decisions such as:

- The size of your RSA keys (modulus) when using RSA-ENCR or RSA-SIG; each of which is preferable compared to pre-shared keys.

- Defining specific peers when possible.

- Lifetimes of the ISAKMP SA, and IPSec SAs

- Choice of authentication and encryption transforms for ISAKMP and IPSec

- DFH Group

- PFS (Perfect Forward Secrecy)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card