Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Access-List

Hi, We have ASA 5505 FW in Production which is working fine but the inside NOC users connect with Miami Servers which is located at data center and we can connect those servers by using Lucent VPN client and for giving access the servers I have make a following access-list which is access-list outside_access_in_1 extended permit esp any any

Can I make the access list port based like if I open directly port 50 then will it work instead of making esp rule.

May I know that the above command is sufficient as security wise or is there any other rule we can make for allowing the IP sec traffic from outside traffic.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access-List

Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).

However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host ' in the access-list

access-list outside_access_in_1 extended permit esp any host N.N.N.N

Assuming VPN server is behind ASA.

Regards

Farrukh

4 REPLIES

Re: Access-List

Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).

However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host ' in the access-list

access-list outside_access_in_1 extended permit esp any host N.N.N.N

Assuming VPN server is behind ASA.

Regards

Farrukh

New Member

Re: Access-List

Hi Ray,

Really for your VPN tunnel you need to ensure that you specify the from and to groups rather than a blanket any any..

Depending on the transform sets you will also need to premit either ahp or more likely ISAKMP

access-list 101 permit upd from to eq isakmp

debugging the tunnel

show crypto ipsec sa

show crypto isakmp sa

Will reveal if the stages are passed, it may be that if you debug the first stage the ends may not have matching transforms sets which would be revealed.

Re: Access-List

Regarding the additional ACE suggestion:

AHP would be an alternative to ESP, but not an alternative to ISAKMP.

Re: Access-List

Most of your VPN security is going to be derived from making good ISAKMP and IPSec policy decisions such as:

- The size of your RSA keys (modulus) when using RSA-ENCR or RSA-SIG; each of which is preferable compared to pre-shared keys.

- Defining specific peers when possible.

- Lifetimes of the ISAKMP SA, and IPSec SAs

- Choice of authentication and encryption transforms for ISAKMP and IPSec

- DFH Group

- PFS (Perfect Forward Secrecy)

141
Views
0
Helpful
4
Replies
CreatePlease to create content