02-16-2009 01:15 AM
Hi,
I have many VPN's connecting to our ASA 5520 firewall. They are all our own remote offices so no external companies etc.
I currently only open the ports that they required as al the servers are hosted where the ASA is (no servers are offsite all VPN come inbound for the servers), but I'm sure this put extra strain on the ASA's CPU and memory and maybe slow down the connection from the VPN's while it processes the rules.
I was wondering what you do, do you lock yours down or simply have and IP any any rule?
I could be totally wrong and maybe there is no CPU and memory overhead and locking down is the best model.
Thanks for your time.
02-16-2009 07:16 AM
Hi, ASA and pix devices have the feature of bypassing any access-rule applied to the outside interface if the traffic that is to be passing from outside to inside is IPSec traffic (VPN) this should be enabled by default and you should not worry about the ACL's that are processed. HTH
02-16-2009 11:39 AM
Hi,
I disbaled this rule so I could control the VPN's by ACL's, I was just wondering if my ACL's add a big overhead to the CPU/Memory and is it an industry/Cisco standard to leave the trusted VPN's completely open.
I spent ages locking them down, but I am just interested on what you guys do?
I guess there is no right or wrong way of doing it is there?
Thanks
02-16-2009 11:52 AM
Well it is recommended to disable acl checking if you are really confident on the peers you make the vpn too. if you want to have really granular control of what they are seeing and what they are able to see then this would be your best option (enable acl check) as for the processing I think it might impact it if you really have tons of tunnels and tons of traffic going through those tunnels but if we are talking about a few no need to worry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide