cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
5
Helpful
6
Replies

Are RA IPSec and RA SSL VPN ports Allowed by Default?

n3tw0rkguy83
Level 1
Level 1

Hi Guys,

Perhaps I can research this over and would find an answer, but this is kinda urgent. Hopefully someone can help me, and then I'll make further research afterwards.

Here's the scenario:

We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default).

Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default? Or is there anything we need to do other than the ones I've mentioned?

Thanks in advance.

6 Replies 6

guibarati
Level 4
Level 4

Class default is used to "inspect" traffic. By default it will not block "anything".

1- If you configure the VPN the ASA will acept connections for protocols and ports needed on the interface you enable the VPN. "isakmp enable outside"

2- The clients connecting to the VPN will have full access to whatever network you specify on split tunnel or all networks if you dont configure split tunnel. This is the default behavior.

You can change that with the "no sysopt connection permit-vpn" - IF you apply this command, all traffic, including vpn traffic will be evaluated by the interface access-list where the pack is coming.

The best way to filter what they can access within the VPN, without the need to use interface access-list is to use filter.

This is in the group-policy mode configuration.

vpn-filter value [access-list name]

okay. so my question goes like, does the class-default inspect ipsec remote access or ssl vpn remote access? just like icmp, by default, it's not inspected so if you don't tweak the class-default, it wouldn't allow icmp on the data plane, right? the devices behind our firewall are the vpn clients which connects to the vpn server on the other site.

Hi,

If we look at the transport level, which seems the issue for you, we see:

Traffic originated from IPsec VPN clients is UDP, ESP, and can turn to ESP over UDP if PAT exists on the way to the VPN gateway.

Traffic originated from SSL VPN clients is TCP and UDP

assuming your clients are at the inside, the VPN traffic should be inspected by default unless you have some custom access-rules that change the behaviour.

Hope this helps.

------------------
Mashal Alshboul

------------------ Mashal Shboul

thanks. we don't have custom access rules on any interface. we were also able to test and the vpn connection is using ssl vpn(clientless using web browser) and it worked.

so if it's using ssl vpn on a web browser, let say there are custom access-rules, which ports are we going to open up?

so if it's using ssl vpn on a web browser, let say there are custom access-rules, which ports are we going to open up?

All traffic over a SSL vpn will go over port HTTPS (443) even if you are using a java applet to allow RDP,etc all of the traffic will traverse via port HTTPs

Hope that I could answer your query

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

If you are connecting from inside - outside, not ports need to be open, since that connection will be trusted.

For the RA IPsec users, make sure they use NAT-T, since the FW will not NAT the ESP packets.

WebVPN uses TCP 443, so it will be considered a normal TCP connection.

HTH.

Portu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: