cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast- Catalyst 9000
178
Views
10
Helpful
2
Replies
Contributor

Must you allow all ports through a firewall that is just going to pass VPN traffic

Let's say you have a ASA firewall in between two end points (say another firewall and router) where a IPSEC tunnel is built on - basically you have an ASA that must pass IPSEC traffic.

The ASA firewall must pass isakmp and esp services and just the subnet interesting traffic or must it pass all other ports being used as well?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Must you allow all ports through a firewall that is just going to pass VPN traffic

Hi,
The firewall rule must permit ESP and UDP/500 (and UDP/4500 if natting) between the peer (outside interfaces) IP addresses only, the interesting traffic networks would not be seen outside of the VPN tunnel so therefore you do not need to explicitly permit them on a transit firewall in between the path of the VPNs.

HTH
2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Must you allow all ports through a firewall that is just going to pass VPN traffic

Hi,
The firewall rule must permit ESP and UDP/500 (and UDP/4500 if natting) between the peer (outside interfaces) IP addresses only, the interesting traffic networks would not be seen outside of the VPN tunnel so therefore you do not need to explicitly permit them on a transit firewall in between the path of the VPNs.

HTH
Highlighted
Contributor

Re: Must you allow all ports through a firewall that is just going to pass VPN traffic

Awesome thanks thats what i thought.