cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
5
Replies

Allow which protocol for VPN tunnel

johnlloyd_13
Level 9
Level 9

hi all,

i'm going to open ports for a VPN tunnel on our ASA 5520 FW.

please advise if i would allow the protocol IP or GRE or both to able to run a VPN tunnel between 2 routers?

access-list OUTSIDE extended permit ip host 2.2.2.2 host 1.1.1.1

1 Accepted Solution

Accepted Solutions

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

5 Replies 5

jumora
Level 7
Level 7

Traffic to the device does not require ACLs

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Unless you have control plane ACL

Value our effort and rate the assistance!

Value our effort and rate the assistance!

hi jumora,

thanks for your reply!

i need to explicitly allow VPN ports/traffic since there's an ASA between the 2 routers.

i could see in our current production environment, there's ISAKMP and UDP port 4500 there were opened.

do i also need to open these ports?

access-list OUTSIDE extended permit udp any host HOST eq isakmp

access-list OUTSIDE extended permit udp any host HOST eq 4500

access-list OUTSIDE extended permit gre host 62.x.x.x host 202.x.x.x

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

Value our effort and rate the assistance!

hi jumora,

thanks again for your reply!

we'll be setting up only the GRE tunnel on both routers and no IPsec involved.

thanks for the tip and case resolved!

Review Cisco Networking for a $25 gift card