We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Site to Site Cisco VPN - opening of ports needed if behind a perimeter fw?

wayy2be asked
Medium Priority
Last Modified: 2012-05-06

I have set up a site to site VPN using two ASA 5505's. Site A is directly connected to the web with no other devices in front of it. Site B is behind a PIX 515. The tunnel is up as indicated by the VPN light on the ASA. Do I need to open any ports on the PIX to have traffic flow across the ASA VPN? Am I correct in thing that since the tunnel is up between the two ASA devices, no ther device will or can see that traffic?
Watch Question

Top Expert 2009
To the devices between the ASA's, the only traffic seen is UDP 500 and ESP (the encrypted traffic).  You don't need to open/permit the real traffic within the tunnel on the perimeter device.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


So just to clarify...if I have a 10.10.10.x network on Site A's side and a 10.10.10.x network on Site B and users on each side use an application that transmits data to each site, then I do not have to open any ports on the perimeter device, yes?
Top Expert 2009

Correct.  That traffic is "hidden" within the tunnel to the perimeter device.  The only thing it sees is UDP 500 (ISAKMP) and ESP (IPSEC).


Awesome!  Thanks for your help :-)
Top Expert 2009

Sure thing.


Great advice, thanks!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.