Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
3
Helpful
5
Replies

Does ASA need outside interface config to permit LAN L2L VPN set up?

Go to solution
jmaxwellUSAF
Contributor
Contributor

‎04-07-2023 09:44 AM

Hello.

When erecting an L2L VPN from an internal LAN router, through an ASA, to a remote www device, does anything need to be configured on the ASA outside interface ACL (such as permitting remote IP-address, protocols, ports)?

(It seems to me that the internal LAN VPN endpoint would begin the communication to the remote endpoint, so nothing would need to be configured on the outside interface.)

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to jmaxwellUSAF

‎04-07-2023 10:32 AM - edited ‎04-07-2023 10:33 AM

@jmaxwellUSAF ok, if the device on the inside of the ASA is initiating the tunnel (from inside to outside) then the return traffic would be permitted, so no you don't need to permit traffic from outside to inside. Obviously if you do not permit inbound on the outside interface the peer would not be able to initiate the VPN.

If you have an ACL inbound on the inside interface you must explictly permit the IPSec traffic. However if you do not have an ACL inbound on the inside interface, then traffic from higher inerface to lower interface would be permitted as default.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎04-07-2023 10:09 AM

If vpn sysop permit connect is not disable then outside will allow all traffic from vpn s2s

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎04-07-2023 10:20 AM

@jmaxwellUSAF so the VPN is being establish through (either side of) the ASA not to the ASA itself?

In which case assuming the outside interface has a security level of 0 and the other interface (inside ?) has a higher security level, you must explictly permit traffic from outside to inside. For IPsec you need to permit udp/500 and ESP and if NAT in the path you'd need to permit udp/500 and udp/4500.

Go to solution
jmaxwellUSAF
Contributor
Contributor
In response to Rob Ingram

‎04-07-2023 10:26 AM

You make sense, and I will config accordingly.

Theoretically speaking-- When setting up VPN, both devices are trying to reach eachother, which means at least that the inside LAN device is initiating connection, so why do I need to execute anything on outside interface?

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to jmaxwellUSAF

‎04-07-2023 10:32 AM - edited ‎04-07-2023 10:33 AM

@jmaxwellUSAF ok, if the device on the inside of the ASA is initiating the tunnel (from inside to outside) then the return traffic would be permitted, so no you don't need to permit traffic from outside to inside. Obviously if you do not permit inbound on the outside interface the peer would not be able to initiate the VPN.

If you have an ACL inbound on the inside interface you must explictly permit the IPSec traffic. However if you do not have an ACL inbound on the inside interface, then traffic from higher inerface to lower interface would be permitted as default.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to jmaxwellUSAF

‎04-07-2023 10:35 AM

No need any acl config in outside.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents