Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA site-to-site VPN, need to open outside ACL?

Hello,

When you create a site-to-site VPN on Cisco ASA firewall, do you need to also open the acl applied to outside interface to allow the same traffic as specified in the crypto acl for it to work?

The setup I have is that the remote end has site-to-site vpn with my ASA firewall and the subnet on my side is public IP subnet, which is natted to private IPs behind the firewall. I was assuming that the remote traffic comes over the tunnel and hits ASA public interface and if crypto acl allows that traffic it shoudl work. But for some reason I had to open outside acl for the same subnets to make it work. Is that right way of doing it?

Thank you.

3 REPLIES

ASA site-to-site VPN, need to open outside ACL?

Hi Bro

VPN is all about communication between private network addresses. The Public IP Adresses or better known as routable IP Addresses are merely used to establish VPN peers, nothing more.

Hence, in your case, there’s no need to open any rules on the outside interface. This concept applies not only to Cisco products but any other competitor products too.

Basically, there are 3 rules/policies in Cisco FW that you’ll need to ensure are correctly done. Firstly, are the ACLs that are applied to the interface/nameif. Secondly, are the ACLs that are applied to the crypto maps. Third and last, are the ACLs tied to the Exempt NAT nat (nameif) 0 access-list _____.

When a host on a private subnet in Location A wants to communicate with a host on a private subnet in Location B, it bypass the outside / Public IP interface.

You might want to paste your config here, so that the folks in the community can clarify things with you.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

ASA site-to-site VPN, need to open outside ACL?

Hello Ramraj,

Private subnet on my side is natted to a public subnet and that public subnet is being used in the crypto acl. The reason being we dont want to disclose the private subnet info to the customer as that is our core network.

Thank you.

Re: ASA site-to-site VPN, need to open outside ACL?

Could furnish a simple diagram here (with fake IPs) to explain your situation further.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
1474
Views
0
Helpful
3
Replies
CreatePlease to create content