Solved: Re: Must you allow all ports through a firewall that is just going to pass VPN traffic

CiscoPurpleBelt · ‎05-20-2019

Let's say you have a ASA firewall in between two end points (say another firewall and router) where a IPSEC tunnel is built on - basically you have an ASA that must pass IPSEC traffic.

The ASA firewall must pass isakmp and esp services and just the subnet interesting traffic or must it pass all other ports being used as well?

Rob Ingram · ‎05-20-2019

Hi,
The firewall rule must permit ESP and UDP/500 (and UDP/4500 if natting) between the peer (outside interfaces) IP addresses only, the interesting traffic networks would not be seen outside of the VPN tunnel so therefore you do not need to explicitly permit them on a transit firewall in between the path of the VPNs.

HTH

View solution in original post

Rob Ingram · ‎05-20-2019

Hi,
The firewall rule must permit ESP and UDP/500 (and UDP/4500 if natting) between the peer (outside interfaces) IP addresses only, the interesting traffic networks would not be seen outside of the VPN tunnel so therefore you do not need to explicitly permit them on a transit firewall in between the path of the VPNs.

HTH

CiscoPurpleBelt · ‎05-20-2019

Awesome thanks thats what i thought.