Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
1
Replies

Confusion for ACL in IPSEC VPN tunnel in ASA

Rupesh Kashyap
Level 1
Level 1

‎12-29-2009 03:11 AM - edited ‎02-21-2020 04:26 PM

Hi, I have ASA-5200 in US and India end. I have to create IPSEC peer-2-peer tunnel between them.

US peer address is 202.202.202.4 & network is 10.0.0.0/24. INDIA peer address is 101.101.101.10 & network is 20.0.0.0/24.

I have already permitted the interesting traffic in ACL and binded with Crypto ACL. I have configured no NAT also.

My questions are-

1. Should I permit IPSEC on physical OUTSIDE interface on both side to allow peer address for Tunnnel Phase-1 & 2?

2. Should I configured any ACL on outside interface to accept the reply connection. Like if US network 10.0.0.0/24 is sending traffic on citrix port to 20.0.0.0/24. Should I open ACL on US Outside interface to allow reply from 20.0.0.0/24?

Please help and cash my best wishes.

Regards,

Rupesh

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎12-29-2009 05:04 AM

1. No, you don't need to.

2. No, not only is the firewall stateful but vpn traffic usually bypasses interface acl's when using sysopt connection permit-vpn/ipsec

0 Helpful
Customers Also Viewed These Support Documents