Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

IPSEC thru ASA 7.x

Topology: Router1 <->(outside)ASA(inside) <-> Router2

IPSEC tunnel from Router1 to Router2

with the routers being the IPSec Endpoints, do i need to explicitly permit ESP & ISAKMP on both the inside and outside interfaces in the inward direction of the ASA ?

or will it be enough to permit ESP & ISAKMP just on the outside interface with the firewall taking care of the return traffic with inpsection ??

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: IPSEC thru ASA 7.x

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

6 REPLIES
Gold

Re: IPSEC thru ASA 7.x

do you have any other ACL's on your ASA besides an inbound ACL on your outside interface?

on your inbound ACL on the outside interface of the ASA, you need to permit udp/500 and esp.

you could also use ipsec-pass-thru.

are you having problems bringing the tunnel up?

Re: IPSEC thru ASA 7.x

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq www

access-list inside extended permit tcp host a.b.c.d gt 1023 any eq https

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq 500

access-group inside in interface inside

access-group outside in interface outside

In this scenario, do i need to explicitly permit esp from inside to outside for the tunnel to get established from R1 to R2.

Thanks,

Vikram

Gold

Re: IPSEC thru ASA 7.x

yes, if the vpn might be initiated from the router1 side.

add the following:

access-list inside extended permit esp any any

access-list inside extended permit udp any any eq 500

Re: IPSEC thru ASA 7.x

I believe the same config ( after your line additions) would hold good when vpn is being initiated from R2 to R1 , Is that correct ?

Re: IPSEC thru ASA 7.x

One Last Question :

access-list inside extended permit ip any any

will it take care of everything ( including esp and isakmp) ?

Gold

Re: IPSEC thru ASA 7.x

it will not take care of esp.

119
Views
0
Helpful
6
Replies