https://community.cisco.com/t5/network-security/access-list/m-p/998580#M918897 <HTML><HEAD></HEAD><BODY><P>Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).</P><P></P><P>However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host <GATEWAY-IP-ADDR>' in the access-list</GATEWAY-IP-ADDR></P><P></P><P>access-list outside_access_in_1 extended permit esp any host N.N.N.N</P><P></P><P>Assuming VPN server is behind ASA.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 12:52:36 GMT Farrukh Haroon 2008-06-05T12:52:36Z https://community.cisco.com/t5/network-security/access-list/m-p/998579#M918896 <P>Hi, We have ASA 5505 FW in Production which is working fine but the inside NOC users connect with Miami Servers which is located at data center and we can connect those servers by using Lucent VPN client and for giving access the servers I have make a following access-list which is access-list outside_access_in_1 extended permit esp any any</P><P></P><P>Can I make the access list port based like if I open directly port 50 then will it work instead of making esp rule.</P><P></P><P>May I know that the above command is sufficient as security wise or is there any other rule we can make for allowing the IP sec traffic from outside traffic. </P> Mon, 11 Mar 2019 12:55:37 GMT https://community.cisco.com/t5/network-security/access-list/m-p/998579#M918896 ray_stone 2019-03-11T12:55:37Z https://community.cisco.com/t5/network-security/access-list/m-p/998580#M918897 <HTML><HEAD></HEAD><BODY><P>Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).</P><P></P><P>However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host <GATEWAY-IP-ADDR>' in the access-list</GATEWAY-IP-ADDR></P><P></P><P>access-list outside_access_in_1 extended permit esp any host N.N.N.N</P><P></P><P>Assuming VPN server is behind ASA.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 05 Jun 2008 12:52:36 GMT https://community.cisco.com/t5/network-security/access-list/m-p/998580#M918897 Farrukh Haroon 2008-06-05T12:52:36Z https://community.cisco.com/t5/network-security/access-list/m-p/998581#M918898 <HTML><HEAD></HEAD><BODY><P>Hi Ray,</P><P></P><P>Really for your VPN tunnel you need to ensure that you specify the from and to groups rather than a blanket any any..</P><P></P><P>Depending on the transform sets you will also need to premit either ahp or more likely ISAKMP </P><P></P><P>access-list 101 permit upd from to eq isakmp</P><P></P><P>debugging the tunnel</P><P></P><P>show crypto ipsec sa</P><P>show crypto isakmp sa</P><P></P><P>Will reveal if the stages are passed, it may be that if you debug the first stage the ends may not have matching transforms sets which would be revealed.</P><P></P><P></P><P></P><P></P></BODY></HTML> Thu, 05 Jun 2008 15:31:52 GMT https://community.cisco.com/t5/network-security/access-list/m-p/998581#M918898 paulwhite1977 2008-06-05T15:31:52Z https://community.cisco.com/t5/network-security/access-list/m-p/998582#M918899 <HTML><HEAD></HEAD><BODY><P>Most of your VPN security is going to be derived from making good ISAKMP and IPSec policy decisions such as:</P><P></P><P>- The size of your RSA keys (modulus) when using RSA-ENCR or RSA-SIG; each of which is preferable compared to pre-shared keys.</P><P>- Defining specific peers when possible.</P><P>- Lifetimes of the ISAKMP SA, and IPSec SAs</P><P>- Choice of authentication and encryption transforms for ISAKMP and IPSec</P><P>- DFH Group</P><P>- PFS (Perfect Forward Secrecy)</P><P></P></BODY></HTML> Thu, 05 Jun 2008 19:31:14 GMT https://community.cisco.com/t5/network-security/access-list/m-p/998582#M918899 michael.leblanc 2008-06-05T19:31:14Z https://community.cisco.com/t5/network-security/access-list/m-p/998583#M918900 <HTML><HEAD></HEAD><BODY><P>Regarding the additional ACE suggestion:</P><P></P><P>AHP would be an alternative to ESP, but not an alternative to ISAKMP.</P><P></P><P></P></BODY></HTML> Thu, 05 Jun 2008 19:35:44 GMT https://community.cisco.com/t5/network-security/access-list/m-p/998583#M918900 michael.leblanc 2008-06-05T19:35:44Z