ASA to Router VPN Access lists

Unanswered Question
Jul 26th, 2007
User Badges:

Hi, I have an issue tying down ports on an ipsec vpn between an asa5510 and a 1801 router. I can get the tunnel up no problem with allowing ip traffic but when I try to tie it down it all goes wrong.

I would appreciate any help on this. I am trying just to allow tcp: http,https and ftp and ICMP also.


Thanks in advance

ciaran

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bbaley Wed, 08/01/2007 - 10:10
User Badges:

You need to configure an access list . Here is an example access-list 100 permit udp any host 10.1.1.25 eq isakmp

purohit_810 Wed, 08/01/2007 - 12:08
User Badges:
  • Silver, 250 points or more

To allow all the protocols:


object-group service TCP tcp

port-object eq telnet

port-object eq www

port-object eq ftp-data

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq citrix-ica

port-object eq 3389

port-object eq 8080

port-object eq ssh

port-object eq 7070

port-object eq 6080

port-object eq rtsp

port-object eq 8200

port-object eq 2097

port-object eq 5012

port-object eq 990

object-group service UDP udp

port-object eq echo

port-object eq www

port-object eq domain

port-object eq isakmp

port-object eq 4500

port-object eq 10000


access-list 102 extended permit udp any any object-group UDP

access-list 102 extended permit tcp any any object-group TCP

access-list 102 extended permit esp any any


Regards,

Dharmesh Purohit

ciaran1977 Thu, 08/02/2007 - 01:24
User Badges:

Thanks for the responce Dharmesh. But you can only use object-goups on the asa, on the router (1801) you can not define object-groups. When you try to mix object groups (on the asa) with access lists (on the router) I cannot get the tunnel up.


Any help would be appreciated.

michaeltedeschi Mon, 08/06/2007 - 19:58
User Badges:

On your router you need an acl like so in your outside int acl


access-list 105 permit ahp host remote ip host local ip

access-list 105 permit esp host remote ip host local ip

access-list 105 permit udp host remote ip host local ip eq isakmp

access-list 105 permit udp host remote ip host local ip eq non500-isakmp


access-list 105 permit ip remote internal network 0.0.3.255 local internal network 0.0.7.255

Actions

This Discussion