VPN access-list

Unanswered Question
Nov 27th, 2007
User Badges:

i want to know if there is a more simple way to alow VPN trafic on a vlan


the way i'm dooing it now is just alowing varius ports depending on what is needed


and that can lead to some trouble because when i get a user that has a different cliend/port i have to go and add him to the access list so the list is "learning"


so is there a way for me to do this in anny other way that dose not require me to be loging in to the switch so often ?

and maby make the access list a littlebit smaller

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
mheusing Tue, 11/27/2007 - 05:16
User Badges:
  • Cisco Employee,

Hi,


The question can be rephrased: How much control do you need?

In case you do not want to control at the prot level you could simply allow the subnet or single hosts to send anything by only specifying IP addresses in the ACL.

Example: access-list 100 permit 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

assuming VPN traffic from 10.1.0.0/16 to 192.168.1.0/24 - your ACL might look different of course.

In case you want control on the port level then there is no other choice, as there is no general rules as to which ports are allowed and which ports are not. You have to define them and maintain them.

More control means more work.


Regards, Martin

guttormure Tue, 11/27/2007 - 06:49
User Badges:

well i only want to allow vpn traffic , web browsing and e-mail on this vlan



and i must be able to support various types of vpn clients because this is "public" access

mheusing Fri, 11/30/2007 - 01:48
User Badges:
  • Cisco Employee,

Hi


I completely misunderstood your task. What you want is to block all traffic except VPN , email and HTTP.


Another solution would be to have an internet proxy setup, which generally allows to regulate traffic in a much more granular way than a LAN switch.

Yet, to my experience there are many different VPN solutions out there, so it will never be an easy task.

What hardware/software do you have for this task? some switches are restricted to port based ACLs and you might not find any other option than doing, what you do.


Regards, Martin

guttormure Thu, 12/06/2007 - 01:46
User Badges:

that is one of the problems

these are not all the same model of switches


i have tested access-lists with the ahp esp and gre protocols but they only interact with the authentication not the connection


access-list 199 remark VPN test

access-list 199 deny ahp any any

access-list 199 deny esp any any

access-list 199 deny gre any any

access-list 199 permit ip any any

(note this list was made for testing)


this for example allows me to connect to the vpn but not authenticate

and when i change it into:


access-list 199 remark VPN test

access-list 199 permit ahp any any

access-list 199 permit esp any any

access-list 199 permit gre any any

access-list 199 permit tcp any any eq 23

access-list 199 permit tcp any any eq 80

access-list 199 permit tcp any any eq 110

access-list 199 permit tcp any any eq 25

access-list 199 permit tcp any any eq 22

access-list 199 deny ip any any


i can not connect, probably because the port

on which the VPN connection is trying to connect on is not permitted...



well maybe i have to do this with proxies :(


Kveðja Gutti

Regards Gutti



Actions

This Discussion