When using the following ACL on the router side of a PIX to 2651XM VPN,
no connectivity is established until the Access-Group is dropped from
the FastEthernet0/1 interface - then it comes up and works fine.
.
We need to harden this FE interface as it has a public IP on a router
with IOS support for VPNs.
.
What am I missing?
.
access-list 150 remark Int Fa0/1 security for VPN use
access-list 150 permit ip host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit ahp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit esp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit gre host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit icmp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit igmp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 deny ip any any
.
interface FastEthernet0/1
ip access-group 150 in
.
Note:
host AA.BB.CC.DD is the PIX
host WW.XX.YY.ZZ is the 2651XM
.