Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2846
Views
5
Helpful
3
Replies

GRE tunnel over Firewall

Go to solution
anton.caldeir
Level 1
Level 1

‎10-25-2021 07:34 AM

Hi Folks,

 

We  build a IPSec  tunnel from a router remote site to ours central site router. We have a corporate Firewall (ASA) protecting our  central site...

 

To acomplis this task we made on ASA a one-to-one Static NAT and a inbound access-list permiting the remote site ip  on port´s UDP/4500 and UDP /500…

 

Regarding the static NAT on the ASA, it is normal practice open port´s inbound so the IPsec tunnel could be established? it is considered secure? I have search for a designed guide or best practices when we need to build a IPsec tunnel or any other  type of tunnel over ASA, but i did not find anything....

 

Can anyone help….

 

Best Regard´s

António

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2021 07:40 AM

Hi @anton.caldeir there probably won't be a design guide for your specific design, establishing a VPN tunnel with a router behind an ASA. As long as the IPSec algorithms you use are strong enough and the authentication method is not weak it should be secure.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to anton.caldeir

‎10-25-2021 08:38 AM

@anton.caldeir you are being very specific in your source in the ACL, so that would reduce the chances of being a threat.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2021 07:40 AM

Hi @anton.caldeir there probably won't be a design guide for your specific design, establishing a VPN tunnel with a router behind an ASA. As long as the IPSec algorithms you use are strong enough and the authentication method is not weak it should be secure.

Go to solution
anton.caldeir
Level 1
Level 1
In response to Rob Ingram

‎10-25-2021 08:30 AM

Thanks a lot for your help Rob.

And the fact that we are opening inbound port´s for the remote site IP in
ASA:

access-list outside_access_in extended permit udp "Remote_Site_IP"
"central_site_IP" eq 4500
access-list outside_access_in extended permit
udp "Remote_Site_IP" "central_site_IP" eq isakmp

this could be a potential security threat to our organization? or could be
exploited by untrusted people ?

Best Regards
António
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to anton.caldeir

‎10-25-2021 08:38 AM

@anton.caldeir you are being very specific in your source in the ACL, so that would reduce the chances of being a threat.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card