Firewall ACL Rules on ASAs

8c-stone · ‎05-20-2008

Has anybody figured out, or found an accurate document, on how to configure the interface Firewall ACL's on an ASA which is accepting VPN tunnels.

I'm still not certain whether there is a need to permit IPSec, etc. against the external i/f incoming ACL, etc...?

Jon Marshall · ‎05-20-2008

Routers yes you need to add the ports.

Pix firewalls no you don't need to add the ports.

I learnt the above 2 from some painful experimenting :-)

I'm assuming the ASA follows the Pix example.

Jon

vabruno · ‎05-20-2008

Jon is correct on an ASA you only have to enavle IPSec on the interface you are terminating your tunnels on and no other ACL's needed. On the Cisco Concentrators and Cisco routers you do need an acl for this traffic but no needed on the ASA & PIX

8c-stone · ‎05-21-2008

Thanks Guys...However, I have configured ACLs on the ASA, incoming on the external interface, for other reasons.

As there is an Implicit deny any attached to it, is it therefore required in this case? Or does the VPN Tunnel configuration over-ride the incoming Firewall ACLs. I'm asking because I have experienced odd behaviour, so I'm just not sure what exactly is required...?

Danilo Dy · ‎05-22-2008

Hi,

Check my post http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&topicID=.ee6b93a&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0a797

Are you experiencing the same problem?

Note that if the VPN ACL is above INTERFACE ACL, the VPN works.

Dandy