topic Allow which protocol for VPN tunnel in Network Security

Allow which protocol for VPN tunnel

johnlloyd_13 — Tue, 12 Mar 2019 03:08:16 GMT

hi all,

i'm going to open ports for a VPN tunnel on our ASA 5520 FW.

please advise if i would allow the protocol IP or GRE or both to able to run a VPN tunnel between 2 routers?

access-list OUTSIDE extended permit ip host 2.2.2.2 host 1.1.1.1

jumora — Fri, 22 Nov 2013 03:40:19 GMT

Traffic to the device does not require ACLs

Value our effort and rate the assistance!

jumora — Fri, 22 Nov 2013 03:40:50 GMT

Unless you have control plane ACL

Value our effort and rate the assistance!

johnlloyd_13 — Fri, 22 Nov 2013 03:52:04 GMT

hi jumora,

thanks for your reply!

i need to explicitly allow VPN ports/traffic since there's an ASA between the 2 routers.

i could see in our current production environment, there's ISAKMP and UDP port 4500 there were opened.

do i also need to open these ports?

access-list OUTSIDE extended permit udp any host HOST eq isakmp

access-list OUTSIDE extended permit udp any host HOST eq 4500

access-list OUTSIDE extended permit gre host 62.x.x.x host 202.x.x.x

jumora — Fri, 22 Nov 2013 04:30:08 GMT

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

johnlloyd_13 — Fri, 22 Nov 2013 05:40:09 GMT

hi jumora,

thanks again for your reply!

we'll be setting up only the GRE tunnel on both routers and no IPsec involved.

thanks for the tip and case resolved!