Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3236
Views
15
Helpful
9
Replies

Lock down ports used for IPSec over GRE on Cisco ASA

Go to solution
johnlloyd_13
Level 9
Level 9

‎09-21-2017 12:12 AM - edited ‎02-21-2020 06:20 AM

hi all,

i would like to 'lock down' crypto ACL used for S2S/L2L IPSec from IP to ISAKMP and ESP ports only.

could anyone confirm if thinking below is correct? no need for GRE port 47?


object service UDP_500
 service udp source eq 500 destination eq 500

 

object service UDP_4500
 service udp source eq 4500 destination eq 4500

 

object service ESP_50
 service esp

 

object-group service VPN_PORTS
 service-object object UDP_500
 service-object object UDP_4500
 service-object object ESP_50

 

no access-list S2S_ACL extended permit ip host 1.1.1.1 host 2.2.2.2
access-list S2S_ACL extended permit object-group VPN_PORTS host 1.1.1.1 host 2.2.2.2

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7
In response to johnlloyd_13

‎09-21-2017 07:26 AM

Yes. 

 

GRE tunnels are not supported on ASA. is this ACL for routers behind the ASA's?

Spooster IT Services Team

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Spooster IT Services
Level 7
Level 7

‎09-21-2017 06:21 AM

Hi johnlloyd_13,

 

You only need to allow UDP port 500, 4500 and ESP protocol. GRE is encapsulated and encrypted by ESP so need to open that. 

Spooster IT Services Team

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Spooster IT Services

‎09-21-2017 06:55 AM

hi,

so my above config is confirmed acceptable?

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to johnlloyd_13

‎09-21-2017 06:56 AM

Yes, It is correct.

Spooster IT Services Team

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Spooster IT Services

‎09-21-2017 07:21 AM

hi,

thanks! one last thing, i configure the same ACL to 'mirror' the crypto ACL on the other ASA correct?

meaning, change the ACE from IP to the grouped VPN ports.

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to johnlloyd_13

‎09-21-2017 07:26 AM

Yes. 

 

GRE tunnels are not supported on ASA. is this ACL for routers behind the ASA's?

Spooster IT Services Team
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Spooster IT Services

‎09-21-2017 07:34 AM

yes, GRE tunnels are terminated on routers behind ASA.

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to johnlloyd_13

‎09-21-2017 07:35 AM

That's Great. Go ahead with the above configuration.

Spooster IT Services Team
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎09-21-2017 12:12 PM

Well, although the ACL can work, it doesn't make much sense. We need to look at two scenarios:

1) No NAT between the IPsec-peers. You need UDP(500,500) and ESP. That is covered.

2) If there is NAT, the connection is started with UDP(500,500), but the source-port can get changed to something different. After detecting NAT, the initiator switches to UDP(4500,4500) and again the source can be changed to something else. Here, no ESP is seen by the ACL as everything is encapsulated in UDP.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Karsten Iwen

‎09-21-2017 06:03 PM

hi karsten,

thanks for diving in! my scenario is depicted on your item 1.

i've got GRE tunnels terminated on a router that's behind the ASA that would trigger the 'interesting' traffic (crypto ACL).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card