Solved: Bypass Upstream Corporate Router ACL with IPSEC VPN

mlenco · ‎11-26-2014

Hello

My Corporate office has an enterprise routing infrastructure. I want to setup a Site to Site IPSEC VPN as well as a AnyConnect webvpn solution for my users through the enterprise. If the corporate security guys create an ACL on the upstream router, from my Cisco ASA 5585, to allow IPSEC between the /28 (the segment between my outside ASA interface and the PO trunk on the upstream corporate router) then I can send ip any any between the subnet on my inside interface and the subnet on the inside interface on the distant ASA (still on the corporate enterprise infrastructure, holding routing constant, correct. In short, if a packet is encrypted in an IPSEC packet, IPSEC is not filtered then you can send any traffic even if there are more restrictive ACE on an upstream router ACL, correct?

Thanks!

Matt

CCNP

Karsten Iwen · ‎11-26-2014

You are right, the corporate router can't look into the VPN-packet. So whatever is transported inside the VPN, it bypasses the corporate security-ACL.

To get VPN-traffic to your ASA, you need the following protocols/ports:

UDP/500, UDP4500, IP/50 for IPsec
TCP/443, UDP/443 for AnyConnect with SSL/TLS

View solution in original post

Karsten Iwen · ‎11-26-2014

You are right, the corporate router can't look into the VPN-packet. So whatever is transported inside the VPN, it bypasses the corporate security-ACL.

To get VPN-traffic to your ASA, you need the following protocols/ports:

UDP/500, UDP4500, IP/50 for IPsec
TCP/443, UDP/443 for AnyConnect with SSL/TLS

mlenco · ‎11-26-2014

Thanks, that is what I thought.