VPN's to ASA 5520 - Do you have your rules open or locked down?

Unanswered Question
Feb 16th, 2009
User Badges:


I have many VPN's connecting to our ASA 5520 firewall. They are all our own remote offices so no external companies etc.

I currently only open the ports that they required as al the servers are hosted where the ASA is (no servers are offsite all VPN come inbound for the servers), but I'm sure this put extra strain on the ASA's CPU and memory and maybe slow down the connection from the VPN's while it processes the rules.

I was wondering what you do, do you lock yours down or simply have and IP any any rule?

I could be totally wrong and maybe there is no CPU and memory overhead and locking down is the best model.

Thanks for your time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 02/16/2009 - 07:16
User Badges:
  • Cisco Employee,

Hi, ASA and pix devices have the feature of bypassing any access-rule applied to the outside interface if the traffic that is to be passing from outside to inside is IPSec traffic (VPN) this should be enabled by default and you should not worry about the ACL's that are processed. HTH

whiteford Mon, 02/16/2009 - 11:39
User Badges:


I disbaled this rule so I could control the VPN's by ACL's, I was just wondering if my ACL's add a big overhead to the CPU/Memory and is it an industry/Cisco standard to leave the trusted VPN's completely open.

I spent ages locking them down, but I am just interested on what you guys do?

I guess there is no right or wrong way of doing it is there?


Ivan Martinon Mon, 02/16/2009 - 11:52
User Badges:
  • Cisco Employee,

Well it is recommended to disable acl checking if you are really confident on the peers you make the vpn too. if you want to have really granular control of what they are seeing and what they are able to see then this would be your best option (enable acl check) as for the processing I think it might impact it if you really have tons of tunnels and tons of traffic going through those tunnels but if we are talking about a few no need to worry


This Discussion