When you create a site-to-site VPN on Cisco ASA firewall, do you need to also open the acl applied to outside interface to allow the same traffic as specified in the crypto acl for it to work?
The setup I have is that the remote end has site-to-site vpn with my ASA firewall and the subnet on my side is public IP subnet, which is natted to private IPs behind the firewall. I was assuming that the remote traffic comes over the tunnel and hits ASA public interface and if crypto acl allows that traffic it shoudl work. But for some reason I had to open outside acl for the same subnets to make it work. Is that right way of doing it?
VPN is all about communication between private network addresses. The Public IP Adresses or better known as routable IP Addresses are merely used to establish VPN peers, nothing more.
Hence, in your case, there’s no need to open any rules on the outside interface. This concept applies not only to Cisco products but any other competitor products too.
Basically, there are 3 rules/policies in Cisco FW that you’ll need to ensure are correctly done. Firstly, are the ACLs that are applied to the interface/nameif. Secondly, are the ACLs that are applied to the crypto maps. Third and last, are the ACLs tied to the Exempt NAT nat (nameif) 0 access-list _____.
When a host on a private subnet in Location A wants to communicate with a host on a private subnet in Location B, it bypass the outside / Public IP interface.
You might want to paste your config here, so that the folks in the community can clarify things with you.
Private subnet on my side is natted to a public subnet and that public subnet is being used in the crypto acl. The reason being we dont want to disclose the private subnet info to the customer as that is our core network.
Could furnish a simple diagram here (with fake IPs) to explain your situation further.