Confusion for ACL in IPSEC VPN tunnel in ASA

Unanswered Question
Dec 29th, 2009
User Badges:

Hi, I have ASA-5200 in US and India end. I have to create IPSEC peer-2-peer tunnel between them.

US peer address is & network is INDIA peer address is & network is

I have already permitted the interesting traffic in ACL and binded with Crypto ACL. I have configured no NAT also.

My questions are-

1. Should I permit IPSEC on physical OUTSIDE interface on both side to allow peer address for Tunnnel Phase-1 & 2?

2. Should I configured any ACL on outside interface to accept the reply connection. Like if US network is sending traffic on citrix port to Should I open ACL on US Outside interface to allow reply from

Please help and cash my best wishes.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 12/29/2009 - 05:04
User Badges:
  • Green, 3000 points or more

1. No, you don't need to.

2. No, not only is the firewall stateful but vpn traffic usually bypasses interface acl's when using sysopt connection permit-vpn/ipsec


This Discussion