Cisco Support Community
Community Member

VPN ports question

When a client is connecting via a remote network using IPSec over TCP does that port require an inbound/outbound rule on the remote firewall or can the firewall just have an outbound rule and as long as the client can go out it should be able to return? I've heard different views here, but I have to come up with a document to send to the admins of the remote network and want to make sure what I'm sending them is correct. I realize there could be exceptions, but generally speaking doe IPSec traffic follow typical IP rules when encapsulating?

Community Member

Re: VPN ports question

To the best of my knowledge, if the flow in the outbound direction (from higher to lower level) is permitted through a firewall, the corrosponding inbound traffic is permitted too. However, as with all great things, it is not exactly that simple. Lets say, a host sitting on the inside interface is accessing a resource on the outside interface. Lets say that the default ASA behaviour and the NAT configurtions allow the outbound request to pass through, the corrosponding response packets from the outside server will be allowed through to the inside interface... provided that the response comes before the translations time out. This also means that just because a host on the inside can access a server on the outside, the sever does not necessarily have the capacity to initiate communication with the host on the inside.

CreatePlease to create content