[c-nsp] VPN clients on Cisco ASA

Ryan West rwest at zyedge.com
Wed Jul 29 09:18:54 EDT 2009


Randy,

 
5) the outside acl is wide-open(with permit ip any any) Recommend locking it down. for vpn, allow tcp 50 and udp 500 to the outside int from any unless sysopt conn ipsec permit is enabled.
 
6) Probable would be a good idea to replace ip's with x.x.x.x when posting configs on a public site.
 
regards,
./Randy
 
When isakmp and a crypto map are enabled on the outside, the ACL is ignored completely, the same applies for management purposes like SSH and HTTPS.  If there were another device in front of the firewall, then you would need to enable protocol 50 (ESP) and UDP/500 (IKE).  The sysopt conn permit-vpn connection tells the firewall to ignore ACL processing of the tunneled traffic.  Good catch on the split tunnel, I glazed over that one.

-ryan
 
 
 



More information about the cisco-nsp mailing list