12-29-2022 03:16 AM - edited 12-29-2022 03:20 AM
Hi everyone,
Just wondering if I need to create an inbound ACL on the ASA for it to establish a S2S tunnel?
A lot of engineers say you need to, I understand if there is another firewall behind it that needs to establish a tunnel, but what if its just a single firewall peering with another?
I have seen some ASA's establish a tunnel as the responder and there was no inbound ACL allowing the UDP ports, and checked the asp table, no listening ports for 500 and 4500.
So I am a bit confused now.
Solved! Go to Solution.
12-29-2022 03:25 AM
@afo99 If there is no firewall in front of the ASA then you don't generally need to define an ACL, so no you do not need to permit the traffic in order for the VPN to establish. The normal ACL on the ASA applied inbound on the outside interface is for traffic "through" the ASA not "to" the ASA itself.
In the unlikely event you are using control-plane ACL, this restricts traffic to the ASAs interface, so in this scenario you would need to permit udp/500 and ESP. In my experience, most people do not use a control-plane ACL.
12-29-2022 03:22 AM
No need, you are correct, if the S2S Peer behind ASA, then this ASA need to open port
but if ASA itself is S2S VPN to other Router or ASA then no need.
12-29-2022 03:25 AM
@afo99 If there is no firewall in front of the ASA then you don't generally need to define an ACL, so no you do not need to permit the traffic in order for the VPN to establish. The normal ACL on the ASA applied inbound on the outside interface is for traffic "through" the ASA not "to" the ASA itself.
In the unlikely event you are using control-plane ACL, this restricts traffic to the ASAs interface, so in this scenario you would need to permit udp/500 and ESP. In my experience, most people do not use a control-plane ACL.
12-29-2022 03:33 AM - edited 12-29-2022 03:34 AM
Thank you for the response. But what if now there is a parameter and an internal firewall. There is already an existing tunnel on the parameter firewall, and will need to port forward 4500 and 500 to the external IP of the parameter firewall to the internal firewall's WAN IP, will that interrupt the parameter firewalls tunnel? Not sure if I am over thinking it here now. I mean I can use a spare public IP to designate for the internal firewall, but what if there is no spare and we are resorted to use the external IP of the parameter firewall to conduct port forwarding which already has an established tunnel.
12-29-2022 03:37 AM
@afo99 if you have a perimeter firewall in front of the internal firewall that already is terminating VPNs, why not terminate the new VPN on the perimeter firewall? You can have multiple VPNs terminated on the same firewall.
If you did want to terminate a VPN on the internal firewall, you'd have to use a spare IP address on the perimeter firewall for NAT and permit udp/500 and udp/4500 to the internal firewall.
12-29-2022 03:45 AM
ASAlocal-ASAfornt-ASAremote
ASAlocal no need any ACL nor NAT (if you not config NAT under Crypto map interface)
ASAfront need ACL open port 500 and 4500 and also static NAT for 500 and 4500 from ASAlocal to ASAfront(public)
that it.
12-29-2022 08:17 AM
Thank you very much everyone for your answers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide