We have a pair of ASA 5545-X firewalls as our Prod ASA. The prod ASA has a global ACL and an ACL for EIGRP advertisements. In addition to that we have a VPN Filter ACL and an interesting traffic matching ACL. It seems the ASA matches the global ACL first and then gets to the interesting traffic ACL.
We built an IPSec tunnel from our prod ASA to a company that does Internet proxy. The interesting traffic for this was 10.10.10.0/24 source to any destination on ports 80,443.
We found out this does not work without a global ACL entry that permits 10.10.10.0/24 to any.
Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?
Hi Devavrat ,
You can use IP based access-list to allow the traffic through the tunnel and restrict the further communication via VPN filters. These filters assist with port based restriction for through the tunnel traffic.
P.S. Please rate helpful posts.
Thank you Karsten and Dinesh. I am using a VPN filter and have that applied to my group-policy too. I am not sure how to work around the global ACL. I also noticed I need to move my nat statements below the object NATs.
>Does that mean if I have an ASA with a global ACL, then every time I build a interesting traffic ACL, I have to include those in the global ACL?