Communication between routers and VPN concentrators

Unanswered Question
Jun 22nd, 2007
User Badges:

Anyone know why I'm having a problem setting up a VPN between a Cisco router and a VPN concentrator and using an ACL that restricts by protocol?

I had a VPN set up with a vendor between my 2611 and their PIX and had ACL's like:

permit tcp host x.x.x.x host y.y.y.y eq ftp and when they moved and installed a concentrator this no longer works and we need to use permit ip host x.x.x.x host y.y.y.y with no protocol restrictions.

I have another tunnel set up with a different partner that is the same situation, we were never able to make this work but I have yet another tunnel between my router and my own PIX that works fine when I trim down to only my needed protocols.

Why the problem doing this between two Cisco devices (though not PIX)?

*tunnel comes up but we are unable to complete the FTP login and even get a directory listing. (yes, I know I also need "ftp-data").


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Sat, 06/23/2007 - 18:17
User Badges:
  • Blue, 1500 points or more

I dont know why you're having the problem you're having, but I could suggest a work around so you still had the same restrictions...

for your crypto ACL, use the generic:

permit ip host xxxx host yyyy

then, create another ACL that is more restrictive applied to one of the interfaces that this traffic passes through (probably inbound on the inside interface).

make sense? if you do that, make sure you understand ACL's well and the order of operation.


This Discussion