cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1324
Views
3
Helpful
1
Replies

Firewall rules for VPN ipsec

Greg Maaaag
Level 1
Level 1

Hi everyone!

We've got about 10 routers 1941 and 881w connected to asa with vpn ipsec site-to-site.

for example, asa wan ip 89.100.1.1 local subnet 192.168.1.0/24

881w wan ip 89.100.1.2 local subnet 192.168.2.0/24

I want to set up firewall on incoming connections for asa

I opened udp 500 and 4500 ports, allowed protocols esp and ah.

But traffic doesn't pass from 192.168.1.0 subnet to 192.168.2.0 subnet.

What more rules should I make?

1 Reply 1

Andrew Phirsov
Level 7
Level 7

By default all trafic that inside the tunnel is allowed through an ASA. Its because sysopt connection permit vpn is in the run config by default. If it's not in your case, just add that string.

But most probably the problem is in smth related to vpn-tunnel establishment, proxy-acl's and routing between the subnets.

Do you see the tunnel come up? What's in the sh crypto isakmp sa, sh crypto ipsec sa?