11-26-2014 07:51 AM - edited 02-21-2020 07:57 PM
Hello
My Corporate office has an enterprise routing infrastructure. I want to setup a Site to Site IPSEC VPN as well as a AnyConnect webvpn solution for my users through the enterprise. If the corporate security guys create an ACL on the upstream router, from my Cisco ASA 5585, to allow IPSEC between the /28 (the segment between my outside ASA interface and the PO trunk on the upstream corporate router) then I can send ip any any between the subnet on my inside interface and the subnet on the inside interface on the distant ASA (still on the corporate enterprise infrastructure, holding routing constant, correct. In short, if a packet is encrypted in an IPSEC packet, IPSEC is not filtered then you can send any traffic even if there are more restrictive ACE on an upstream router ACL, correct?
Thanks!
Matt
CCNP
Solved! Go to Solution.
11-26-2014 08:58 AM
You are right, the corporate router can't look into the VPN-packet. So whatever is transported inside the VPN, it bypasses the corporate security-ACL.
To get VPN-traffic to your ASA, you need the following protocols/ports:
11-26-2014 08:58 AM
You are right, the corporate router can't look into the VPN-packet. So whatever is transported inside the VPN, it bypasses the corporate security-ACL.
To get VPN-traffic to your ASA, you need the following protocols/ports:
11-26-2014 10:00 AM
Thanks, that is what I thought.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide