Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1085
Views
5
Helpful
5
Replies

ASA 5510 firewall rules for VPN from inside to otside

Alar Pandis
Level 1
Level 1

‎05-28-2009 12:30 AM - edited ‎03-06-2019 05:58 AM

Hi! Sorry if this question is not in correct topics section. I need to setup access for using VPN from inside (NAT used) to outside! I mean, someone from our students/stuff need to access via VPN outside location. What firewall rules I must setup? I remember, with Novell Bordermanager there was several access rules to be set up and ... even then not always VPN access from inside to outside was granted, it depends.

More thanks, Alar.

Labels:
0 Helpful
5 Replies 5

Alar Pandis
Level 1
Level 1

‎05-28-2009 03:10 AM

Hi again!

I tried to find something via internet. Let me explain little bit more. What I meant is that is there some standard ports must be open on ASA 5510 for connecting most common (!?) VPN clients through ASA from inside to outside to they own VPN site?

More thanks, Alar.

0 Helpful

jj27
Spotlight
Spotlight
In response to Alar Pandis

‎06-01-2009 06:18 AM

Most VPNs use UDP ports 500 and 4500 for VPN connectivity. You should also enable GRE access.

0 Helpful

Alar Pandis
Level 1
Level 1
In response to jj27

‎06-01-2009 08:25 AM

Thank You!

Alar.

0 Helpful

r-garrison
Level 1
Level 1

‎06-01-2009 02:41 PM

GRE is only necessary for Microsoft PPTP connections. Also you should only have to open ports on the firewall if you have an ACL applied on the inbound direction of the inside interface (access-group FOO in interface inside)...unles you've applied an outbound ACL on the outside interface, but that is non-typical. If you do have an ACL blocking the traffic, you will need to know what type of VPN they are using. If it is Microsoft PPTP, then you will need to allow GRE (IP Protocol #47) out, and you will need to allow PPTP (TCP port 1723) out. If they are wanting IPSec with UDP as the transport, then you should be able to get by with UDP/500 for ISAKMP, and IP Protocol #50 for ESP (I doubt they are using AH, so #51 should not be needed), and you will need UDP/4500 if they are using NAT-T (which is likely).

One other thing that you may need. If the client is not capable of NAT-T, you may need to enable IPSec inspection. If the client is doing a Microsoft PPTP VPN, you will definately need PPTP inspection. Please see the below links.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1432892

Alar Pandis
Level 1
Level 1
In response to r-garrison

‎06-02-2009 08:19 AM

Hi!

Thank You! I'd add described exceptions too. I can't check/try it out, but ... probably I'll see something in ASA log and can set/fix issues, when something happen. Now I just setup device, it is not on "line of fire", jet.

More thanks, Alar.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card