Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
0
Helpful
3
Replies

vpn traffic and security acls

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎04-17-2007 05:36 AM

I'm using a PIX 515 with ASA 7.2. I have a couple tunnels and remote access setup. The same PIX is used as a firewall between the inside users and the Internet. I'm pretty sure there is a setting for remote access vpn connections to be exempt from an ACLs, but am not sure how it works for site to site tunnels. I recently implemented an ACL on my inside interface and as a precaution created an ACL that included the statement access-list inside_access_in permit ip any 10.4.1.0 255.255.255.0

I have 2 questions, do I need that statement to allow traffic to flow from the networks connected to the inside interface of my firewall (any) to the remote end of the site 2 site tunnel (10.4.1.0/24) and I thought including ip in your ACL meant any and all traffic, but in the syslog server I see certain UDP traffic being blocked. Could anyone clarify how this works for me?

thank you,

Bill

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee

‎04-17-2007 05:48 AM

Hi Bill,

The ACL statements are checked sequentially so if the UDP is denied before the IP is permitted then you'll see those messages. I'm not sure how your PIX is configured but if there is an ACL bound with the inside interface then we have to permit the VPN traffic and also need to make sure the NAT bypass is configured for such traffic.

HTH,

Please rate if it helps.

Regards,

Kamal

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee

‎04-17-2007 05:48 AM

Hi Bill,

The ACL statements are checked sequentially so if the UDP is denied before the IP is permitted then you'll see those messages. I'm not sure how your PIX is configured but if there is an ACL bound with the inside interface then we have to permit the VPN traffic and also need to make sure the NAT bypass is configured for such traffic.

HTH,

Please rate if it helps.

Regards,

Kamal

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to Kamal Malhotra

‎04-17-2007 07:30 AM

so when using ip in your acl, udp is covered? Yes, there is an ACL bound on the inside interface, so thank you, that helps clear it up.

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to Kamal Malhotra

‎04-17-2007 07:51 AM

my bad, i tcp any 10.4.1.0/24 rather than ip for that particular subnet.

thx again

0 Helpful
Customers Also Viewed These Support Documents