Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Allow which protocol for VPN tunnel

hi all,

i'm going to open ports for a VPN tunnel on our ASA 5520 FW.

please advise if i would allow the protocol IP or GRE or both to able to run a VPN tunnel between 2 routers?

access-list OUTSIDE extended permit ip host 2.2.2.2 host 1.1.1.1

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Allow which protocol for VPN tunnel

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

Value our effort and rate the assistance!
5 REPLIES
Silver

Allow which protocol for VPN tunnel

Traffic to the device does not require ACLs

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Silver

Allow which protocol for VPN tunnel

Unless you have control plane ACL

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Allow which protocol for VPN tunnel

hi jumora,

thanks for your reply!

i need to explicitly allow VPN ports/traffic since there's an ASA between the 2 routers.

i could see in our current production environment, there's ISAKMP and UDP port 4500 there were opened.

do i also need to open these ports?

access-list OUTSIDE extended permit udp any host HOST eq isakmp

access-list OUTSIDE extended permit udp any host HOST eq 4500

access-list OUTSIDE extended permit gre host 62.x.x.x host 202.x.x.x

Silver

Allow which protocol for VPN tunnel

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Allow which protocol for VPN tunnel

hi jumora,

thanks again for your reply!

we'll be setting up only the GRE tunnel on both routers and no IPsec involved.

thanks for the tip and case resolved!

297
Views
0
Helpful
5
Replies
CreatePlease to create content