• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VPN traffic across an ASA/PIX

O

oddyager

Diamond Member
If your VPN hub (router/concentrator/what have you) is sitting behind a firewall do you need to configure ACLs to permit LAN traffic thats encapsulated in the tunnel (say standard site to site tunnels using ipsec or gre tunnels/ipsec) or is the firewall only going to see just the actual tunnel building traffic (gre, isakmp traffic, etc) only and not what's passing through inside? Did that make sense?
 
If the firewall isn't an endpoint of the tunnel, or doing something to decrypt and inspect the traffic, all it should see is the encrypted tunnel. Isn't that the whole point of a VPN?
 
You don't need your LAN-to-LAN ACLs on your NAT firewall if it isn't the VPN endpoint.

You will, however, need routes to that VPN endpoint on your NAT firewall. That could be a problem with a PIX/ASA as they don't support ICMP redirect (meaning they won't redirect requests to another internal router).
 
You must log in or register to reply here.
Back
Top