06-05-2008 03:50 AM - edited 03-11-2019 05:55 AM
Hi, We have ASA 5505 FW in Production which is working fine but the inside NOC users connect with Miami Servers which is located at data center and we can connect those servers by using Lucent VPN client and for giving access the servers I have make a following access-list which is access-list outside_access_in_1 extended permit esp any any
Can I make the access list port based like if I open directly port 50 then will it work instead of making esp rule.
May I know that the above command is sufficient as security wise or is there any other rule we can make for allowing the IP sec traffic from outside traffic.
Solved! Go to Solution.
06-05-2008 05:52 AM
Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).
However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host
access-list outside_access_in_1 extended permit esp any host N.N.N.N
Assuming VPN server is behind ASA.
Regards
Farrukh
06-05-2008 05:52 AM
Please note that ESP = IP Protocol # 50 and not Port # 50 (Like we have in UDP/TCP).
However you can make your access-list more granular, you will always know the IP address of the VPN gateway (Server), you can put that as 'host
access-list outside_access_in_1 extended permit esp any host N.N.N.N
Assuming VPN server is behind ASA.
Regards
Farrukh
06-05-2008 08:31 AM
Hi Ray,
Really for your VPN tunnel you need to ensure that you specify the from and to groups rather than a blanket any any..
Depending on the transform sets you will also need to premit either ahp or more likely ISAKMP
access-list 101 permit upd from to eq isakmp
debugging the tunnel
show crypto ipsec sa
show crypto isakmp sa
Will reveal if the stages are passed, it may be that if you debug the first stage the ends may not have matching transforms sets which would be revealed.
06-05-2008 12:35 PM
Regarding the additional ACE suggestion:
AHP would be an alternative to ESP, but not an alternative to ISAKMP.
06-05-2008 12:31 PM
Most of your VPN security is going to be derived from making good ISAKMP and IPSec policy decisions such as:
- The size of your RSA keys (modulus) when using RSA-ENCR or RSA-SIG; each of which is preferable compared to pre-shared keys.
- Defining specific peers when possible.
- Lifetimes of the ISAKMP SA, and IPSec SAs
- Choice of authentication and encryption transforms for ISAKMP and IPSec
- DFH Group
- PFS (Perfect Forward Secrecy)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide