Securing Router VPN with Public IP

danmiller3 · ‎05-23-2007

When using the following ACL on the router side of a PIX to 2651XM VPN,

no connectivity is established until the Access-Group is dropped from

the FastEthernet0/1 interface - then it comes up and works fine.

.

We need to harden this FE interface as it has a public IP on a router

with IOS support for VPNs.

.

What am I missing?

.

access-list 150 remark Int Fa0/1 security for VPN use

access-list 150 permit ip host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit ahp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit esp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit gre host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit icmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit igmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 deny ip any any

.

interface FastEthernet0/1

ip access-group 150 in

.

Note:

host AA.BB.CC.DD is the PIX

host WW.XX.YY.ZZ is the 2651XM

.

palomoj · ‎05-23-2007

You need to allow for ISAKMP traffic.

access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ eq isakmp

access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ eq 4500 (NAT-T)