Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
5
Replies

Allow which protocol for VPN tunnel

Go to solution
johnlloyd_13
Level 9
Level 9

‎11-21-2013 06:54 PM - edited ‎03-11-2019 08:08 PM

hi all,

i'm going to open ports for a VPN tunnel on our ASA 5520 FW.

please advise if i would allow the protocol IP or GRE or both to able to run a VPN tunnel between 2 routers?

access-list OUTSIDE extended permit ip host 2.2.2.2 host 1.1.1.1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jumora
Level 7
Level 7
In response to johnlloyd_13

‎11-21-2013 08:30 PM

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jumora
Level 7
Level 7

‎11-21-2013 07:40 PM

Traffic to the device does not require ACLs

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-21-2013 07:40 PM

Unless you have control plane ACL

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to jumora

‎11-21-2013 07:52 PM

hi jumora,

thanks for your reply!

i need to explicitly allow VPN ports/traffic since there's an ASA between the 2 routers.

i could see in our current production environment, there's ISAKMP and UDP port 4500 there were opened.

do i also need to open these ports?

access-list OUTSIDE extended permit udp any host HOST eq isakmp

access-list OUTSIDE extended permit udp any host HOST eq 4500

access-list OUTSIDE extended permit gre host 62.x.x.x host 202.x.x.x

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to johnlloyd_13

‎11-21-2013 08:30 PM

Depends on the type of VPN you are configuring on the routers.

GRE tunnel:

access-list OUTSIDE extended permit gre host Remote_GRE host LOCAL_GRE

IPSec tunnel

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 500

access-list OUTSIDE extended permit UDP host Remote_IPSec host Local_IPsec eq 4500

access-list OUTSIDE extended permit ESP host Remote_IPSec host Local_IPsec

What version are you running on the ASA that is between the devices that will VPN

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to jumora

‎11-21-2013 09:40 PM

hi jumora,

thanks again for your reply!

we'll be setting up only the GRE tunnel on both routers and no IPsec involved.

thanks for the tip and case resolved!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card