Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall ACL Rules on ASAs

Has anybody figured out, or found an accurate document, on how to configure the interface Firewall ACL's on an ASA which is accepting VPN tunnels.

I'm still not certain whether there is a need to permit IPSec, etc. against the external i/f incoming ACL, etc...?

Hall of Fame Super Blue

Re: Firewall ACL Rules on ASAs

Routers yes you need to add the ports.

Pix firewalls no you don't need to add the ports.

I learnt the above 2 from some painful experimenting :-)

I'm assuming the ASA follows the Pix example.


New Member

Re: Firewall ACL Rules on ASAs

Jon is correct on an ASA you only have to enavle IPSec on the interface you are terminating your tunnels on and no other ACL's needed. On the Cisco Concentrators and Cisco routers you do need an acl for this traffic but no needed on the ASA & PIX

New Member

Re: Firewall ACL Rules on ASAs

Thanks Guys...However, I have configured ACLs on the ASA, incoming on the external interface, for other reasons.

As there is an Implicit deny any attached to it, is it therefore required in this case? Or does the VPN Tunnel configuration over-ride the incoming Firewall ACLs. I'm asking because I have experienced odd behaviour, so I'm just not sure what exactly is required...?

Re: Firewall ACL Rules on ASAs

CreatePlease to create content