ASA 5510 firewall rules for VPN from inside to otside

Unanswered Question
May 28th, 2009

Hi! Sorry if this question is not in correct topics section. I need to setup access for using VPN from inside (NAT used) to outside! I mean, someone from our students/stuff need to access via VPN outside location. What firewall rules I must setup? I remember, with Novell Bordermanager there was several access rules to be set up and ... even then not always VPN access from inside to outside was granted, it depends.

More thanks, Alar.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Alar Pandis Thu, 05/28/2009 - 03:10

Hi again!

I tried to find something via internet. Let me explain little bit more. What I meant is that is there some standard ports must be open on ASA 5510 for connecting most common (!?) VPN clients through ASA from inside to outside to they own VPN site?

More thanks, Alar.

jjohnston1127 Mon, 06/01/2009 - 06:18

Most VPNs use UDP ports 500 and 4500 for VPN connectivity. You should also enable GRE access.

r-garrison Mon, 06/01/2009 - 14:41

GRE is only necessary for Microsoft PPTP connections. Also you should only have to open ports on the firewall if you have an ACL applied on the inbound direction of the inside interface (access-group FOO in interface inside)...unles you've applied an outbound ACL on the outside interface, but that is non-typical. If you do have an ACL blocking the traffic, you will need to know what type of VPN they are using. If it is Microsoft PPTP, then you will need to allow GRE (IP Protocol #47) out, and you will need to allow PPTP (TCP port 1723) out. If they are wanting IPSec with UDP as the transport, then you should be able to get by with UDP/500 for ISAKMP, and IP Protocol #50 for ESP (I doubt they are using AH, so #51 should not be needed), and you will need UDP/4500 if they are using NAT-T (which is likely).

One other thing that you may need. If the client is not capable of NAT-T, you may need to enable IPSec inspection. If the client is doing a Microsoft PPTP VPN, you will definately need PPTP inspection. Please see the below links.

Alar Pandis Tue, 06/02/2009 - 08:19


Thank You! I'd add described exceptions too. I can't check/try it out, but ... probably I'll see something in ASA log and can set/fix issues, when something happen. Now I just setup device, it is not on "line of fire", jet.

More thanks, Alar.


This Discussion