Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1345
Views
25
Helpful
6
Replies

Do we need to allow ports 500 and 4500 for S2S tunnel to work?

Go to solution
afo99
Level 1
Level 1

‎12-29-2022 03:16 AM - edited ‎12-29-2022 03:20 AM

Hi everyone, 

Just wondering if I need to create an inbound ACL on the ASA for it to establish a S2S tunnel?

A lot of engineers say you need to, I understand if there is another firewall behind it that needs to establish a tunnel, but what if its just a single firewall peering with another?

I have seen some ASA's establish a tunnel as the responder and there was no inbound ACL allowing the UDP ports, and checked the asp table, no listening ports for 500 and 4500.

So I am a bit confused now. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-29-2022 03:25 AM

@afo99 If there is no firewall in front of the ASA then you don't generally need to define an ACL, so no you do not need to permit the traffic in order for the VPN to establish. The normal ACL on the ASA applied inbound on the outside interface is for traffic "through" the ASA not "to" the ASA itself.

In the unlikely event you are using control-plane ACL, this restricts traffic to the ASAs interface, so in this scenario you would need to permit udp/500 and ESP. In my experience, most people do not use a control-plane ACL.

 

View solution in original post

6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎12-29-2022 03:22 AM

No need, you are correct, if the S2S Peer behind ASA, then this ASA need to open port
but if ASA itself  is S2S VPN to other Router or ASA then no need. 

Go to solution
Rob Ingram
VIP
VIP

‎12-29-2022 03:25 AM

@afo99 If there is no firewall in front of the ASA then you don't generally need to define an ACL, so no you do not need to permit the traffic in order for the VPN to establish. The normal ACL on the ASA applied inbound on the outside interface is for traffic "through" the ASA not "to" the ASA itself.

In the unlikely event you are using control-plane ACL, this restricts traffic to the ASAs interface, so in this scenario you would need to permit udp/500 and ESP. In my experience, most people do not use a control-plane ACL.

 

Go to solution
afo99
Level 1
Level 1
In response to Rob Ingram

‎12-29-2022 03:33 AM - edited ‎12-29-2022 03:34 AM

Thank you for the response. But what if now there is a parameter and an internal firewall. There is already an existing tunnel on the parameter firewall, and will need to port forward 4500 and 500 to the external IP of the parameter firewall to the internal firewall's WAN IP, will that interrupt the parameter firewalls tunnel? Not sure if I am over thinking it here now. I mean I can use a spare public IP to designate for the internal firewall, but what if there is no spare and we are resorted to use the external IP of the parameter firewall to conduct port forwarding which already has an established tunnel. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to afo99

‎12-29-2022 03:37 AM

@afo99 if you have a perimeter firewall in front of the internal firewall that already is terminating VPNs, why not terminate the new VPN on the perimeter firewall? You can have multiple VPNs terminated on the same firewall.

If you did want to terminate a VPN on the internal firewall, you'd have to use a spare IP address on the perimeter firewall for NAT and permit udp/500 and udp/4500 to the internal firewall.

Go to solution
MHM Cisco World
VIP
VIP
In response to afo99

‎12-29-2022 03:45 AM

ASAlocal-ASAfornt-ASAremote 
ASAlocal no need any ACL nor NAT (if you not config NAT under Crypto map interface)
ASAfront need ACL open port 500 and 4500 and also static NAT for 500 and 4500 from ASAlocal to ASAfront(public)

that it.

Go to solution
afo99
Level 1
Level 1

‎12-29-2022 08:17 AM

Thank you very much everyone for your answers

0 Helpful
Customers Also Viewed These Support Documents