Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Confusion for ACL in IPSEC VPN tunnel in ASA

Hi, I have ASA-5200 in US and India end. I have to create IPSEC peer-2-peer tunnel between them.

US peer address is 202.202.202.4 & network is 10.0.0.0/24. INDIA peer address is 101.101.101.10 & network is 20.0.0.0/24.

I have already permitted the interesting traffic in ACL and binded with Crypto ACL. I have configured no NAT also.

My questions are-

1. Should I permit IPSEC on physical OUTSIDE interface on both side to allow peer address for Tunnnel Phase-1 & 2?

2. Should I configured any ACL on outside interface to accept the reply connection. Like if US network 10.0.0.0/24 is sending traffic on citrix port to 20.0.0.0/24. Should I open ACL on US Outside interface to allow reply from 20.0.0.0/24?

Please help and cash my best wishes.

Regards,

Rupesh

1 REPLY
Green

Re: Confusion for ACL in IPSEC VPN tunnel in ASA

1. No, you don't need to.

2. No, not only is the firewall stateful but vpn traffic usually bypasses interface acl's when using sysopt connection permit-vpn/ipsec

282
Views
0
Helpful
1
Replies
CreatePlease to create content