I have some l2l tunels. I don't use "sysopt connection permit-vpn" command. I prefer to enable required ports for specific source IP. So they can establish VPN tunnel with me.
Recently i have configured remote access vpn.It is work fine...But only when i enable "sysopt connection permit-vpn"
1. Which ports have to be enabled to get RA VPN work? (without sysopt connection permit-vpn)
2. How can i restrict access of remote clients when they connected to my private network?
When you do not use "sysopt connection...", you have to explicitly permit udp 500, udp 4500 and esp traffic on the outside access-list.
Let's say outside intf public ip address is x.x.x.x and the client pool we are using is y.y.y.0 and you want to allow "only" traffic for port 80 through the tunnel.
On the Outside ACL, you have to put the following statements :
access-list 101 permit udp any host x.x.x.x eq 500
access-list 101 permit udp any host x.x.x.x eq 4500
access-list 101 permit esp any host x.x.x.x
access-list 101 permit tcp y.y.y.0 255.255.255.0 eq 80
access-list 101 deny ip y.y.y.0 255.255.255.0
*Please rate the post if it helps.