specifying tcp ports on a vpn's acl

Unanswered Question
Sep 17th, 2008
User Badges:

I need to create a site to site vpn tunnel and was told that its not a good idea to specify the tcp ports on the associated acl. The reason had something to do with the stability or reliability of the tunnel. From a security standpoint, I would think that having the ports would be better. what's the best way to go?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
suschoud Wed, 09/17/2008 - 07:22
User Badges:
  • Gold, 750 points or more

using port range in the crypto ACL is never recommended because every port in the

specified port range will create a tunnel. It put a heavy load on the vpn gateway and

could crash the device if it can't handle that many tunnels.

The better way,use " ip " or " tcp " in acl....do not specify the port.

Regarding security,traffic is already encrypted over the tunnel.So,I do not see any threats.

Do rate helpful posts.



DARYLE DIANIS Thu, 09/18/2008 - 08:01
User Badges:

thanks, let me ask the question a different way, if its the interesting traffic that needs the tcp port, does that make a difference? Or, for the interesting traffic, is it still recommended to not use the tcp port?


This Discussion