cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
653
Views
0
Helpful
1
Replies

Basic ACL Question

jwbensley
Level 1
Level 1

Hi There,

I have a 5505 on ASA 8.2 in the field already working. It has two interfaces, LAN/inside and WAN/outside. There is an L2 site-to-site IPSec tunnel configured from the outside interface of the local ASA to the outside interface of a remote F/W (between local internal host .1/32 and remote internal host .1/32).

I want to enable port forwading for a single port to the outside IP of the local ASA to forward to the internal host .2

If I apply the below configurations at the CLI will this let in the desired traffic without dirupting the IPSec tunnel?

access-list outside_access_in extended permit tcp any interface  outside eq 555

static (inside,outside) tcp interface 555 192.168.0.2 555 netmask 255.255.255.255

Thanks for reading.

1 Accepted Solution

Accepted Solutions

eddie.harmoush
Level 1
Level 1

If your encryption domain ACL includes only the hosts x.x.x.1 and x.x.x.1, then your static port forward for x.x.x.2 should not cause any issues with the VPN. To be sure, I am answering this under the understanding that the connection to your FW's Interface IP & port 555 is not coming from within the VPN tunnel. 

Moreover, the port you are using (555) is not a standard port used in IPSec VPNs, so you don't have to worry about anything there.  Most VPNs will be using protocol 50 (ESP), protocol 51 (AH), UDP port 500 (ISAKMP), or UDP port 4500 (NAT-T).  So TCP 555 does not run the risk of overlapping with one of these.

View solution in original post

1 Reply 1

eddie.harmoush
Level 1
Level 1

If your encryption domain ACL includes only the hosts x.x.x.1 and x.x.x.1, then your static port forward for x.x.x.2 should not cause any issues with the VPN. To be sure, I am answering this under the understanding that the connection to your FW's Interface IP & port 555 is not coming from within the VPN tunnel. 

Moreover, the port you are using (555) is not a standard port used in IPSec VPNs, so you don't have to worry about anything there.  Most VPNs will be using protocol 50 (ESP), protocol 51 (AH), UDP port 500 (ISAKMP), or UDP port 4500 (NAT-T).  So TCP 555 does not run the risk of overlapping with one of these.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: