Basic ACL Question

Answered Question
Jan 27th, 2012

Hi There,

I have a 5505 on ASA 8.2 in the field already working. It has two interfaces, LAN/inside and WAN/outside. There is an L2 site-to-site IPSec tunnel configured from the outside interface of the local ASA to the outside interface of a remote F/W (between local internal host .1/32 and remote internal host .1/32).

I want to enable port forwading for a single port to the outside IP of the local ASA to forward to the internal host .2

If I apply the below configurations at the CLI will this let in the desired traffic without dirupting the IPSec tunnel?

access-list outside_access_in extended permit tcp any interface  outside eq 555

static (inside,outside) tcp interface 555 192.168.0.2 555 netmask 255.255.255.255

Thanks for reading.

I have this problem too.
0 votes
Correct Answer by eddie.harmoush about 2 years 2 months ago

If your encryption domain ACL includes only the hosts x.x.x.1 and x.x.x.1, then your static port forward for x.x.x.2 should not cause any issues with the VPN. To be sure, I am answering this under the understanding that the connection to your FW's Interface IP & port 555 is not coming from within the VPN tunnel. 

Moreover, the port you are using (555) is not a standard port used in IPSec VPNs, so you don't have to worry about anything there.  Most VPNs will be using protocol 50 (ESP), protocol 51 (AH), UDP port 500 (ISAKMP), or UDP port 4500 (NAT-T).  So TCP 555 does not run the risk of overlapping with one of these.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
eddie.harmoush Fri, 01/27/2012 - 12:22

If your encryption domain ACL includes only the hosts x.x.x.1 and x.x.x.1, then your static port forward for x.x.x.2 should not cause any issues with the VPN. To be sure, I am answering this under the understanding that the connection to your FW's Interface IP & port 555 is not coming from within the VPN tunnel. 

Moreover, the port you are using (555) is not a standard port used in IPSec VPNs, so you don't have to worry about anything there.  Most VPNs will be using protocol 50 (ESP), protocol 51 (AH), UDP port 500 (ISAKMP), or UDP port 4500 (NAT-T).  So TCP 555 does not run the risk of overlapping with one of these.

Actions

Login or Register to take actions

This Discussion

Posted January 27, 2012 at 6:48 AM
Stats:
Replies:1 Avg. Rating:5
Views:385 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446