Basic ACL Question

jwbensley — Mon, 11 Mar 2019 22:20:16 GMT

Hi There,

I have a 5505 on ASA 8.2 in the field already working. It has two interfaces, LAN/inside and WAN/outside. There is an L2 site-to-site IPSec tunnel configured from the outside interface of the local ASA to the outside interface of a remote F/W (between local internal host .1/32 and remote internal host .1/32).

I want to enable port forwading for a single port to the outside IP of the local ASA to forward to the internal host .2

If I apply the below configurations at the CLI will this let in the desired traffic without dirupting the IPSec tunnel?

access-list outside_access_in extended permit tcp any interface outside eq 555

static (inside,outside) tcp interface 555 192.168.0.2 555 netmask 255.255.255.255

Thanks for reading.

Basic ACL Question

eddie.harmoush — Fri, 27 Jan 2012 20:22:18 GMT

If your encryption domain ACL includes only the hosts x.x.x.1 and x.x.x.1, then your static port forward for x.x.x.2 should not cause any issues with the VPN. To be sure, I am answering this under the understanding that the connection to your FW's Interface IP & port 555 is not coming from within the VPN tunnel.

Moreover, the port you are using (555) is not a standard port used in IPSec VPNs, so you don't have to worry about anything there. Most VPNs will be using protocol 50 (ESP), protocol 51 (AH), UDP port 500 (ISAKMP), or UDP port 4500 (NAT-T). So TCP 555 does not run the risk of overlapping with one of these.

topic Basic ACL Question in Network Security

Basic ACL Question

Basic ACL Question