07-07-2008 08:49 PM - edited 03-11-2019 06:10 AM
Hi
I created site-to-site vpn between asa and pix with no sysopt connecion permit-vpn.
I used interface access-list to control what remote site(PIX) can access to main site(ASA).
IPSec connection is up and everything is working fine.
I have question related to access-rule for ISAKMP and IPSec.
1. Do I need to create access rule to permit protocol ISAKMP, ESP, AH at outside interface?
My understanding is that when the traffic come to interface, access rule will be applied and permit or drop pkts based on the rules.
It seems IPSec Tunnel can be established without even applying those access rules at interface.
Thank in advance for your time!
Best Regards
Joe
07-07-2008 09:53 PM
u have to have an ACL that allow the isakmp and esp from ur remote site to ur local site and vice versa to establish the tunnel on the terminating device, reasonably if u block it how the tunnel gonna be estblished !
07-07-2008 10:00 PM
Hi
Connection is like this.
Main Site > ASA > Outside < PIX
From inside interface of both main/remote site allow everything.
ACL is applied to outside interface of both. But this ACL doesn't permit ISAKMP, ESP, AH. Tunnel is still established. That's why puzzle me.
IPSec conneciton doesn't go through the firewalls and it ends @ outside interface of both FW.
Repeat my question again, if ACL doesn't allow why tunnel still can be established and IPSec pkets can go through? If I blocked other traffic, I can see that network cannot be reachable but seems like I don't need to put ACL for ISAKMP, AH, ESP..
Any idea?
07-07-2008 10:55 PM
ACL is applied to outside interface of both. But this ACL doesn't permit ISAKMP, ESP, AH. Tunnel is still established.
that is ok.
the access-list which is attached to ouside interface, is applyed only for traffic going through the PIX and ip not for traffic terminating on the PIX itself.
if you have "no sysopt connection permit-vpn" you need additional lines in ACL to permit traffic inside the IPSec tunnel.
07-07-2008 10:59 PM
Hi
Thanks for your reply. So just to be precise, ACL is only applied to traffic going through the interface and not traffic terminating at the interface.
I already permit traffic for inside network to be able to access to remote inside network.
Thanks for clarification. Any reference that I can look at for your statement coz I need to prove? :)
Thanks.
07-07-2008 11:18 PM
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html#wp1074790
P.S. Rate a post if it was usefull
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide