Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
6
Helpful
4
Replies

VPN access-list

guttormure
Level 1
Level 1

‎11-27-2007 02:51 AM - edited ‎03-05-2019 07:38 PM

i want to know if there is a more simple way to alow VPN trafic on a vlan

the way i'm dooing it now is just alowing varius ports depending on what is needed

and that can lead to some trouble because when i get a user that has a different cliend/port i have to go and add him to the access list so the list is "learning"

so is there a way for me to do this in anny other way that dose not require me to be loging in to the switch so often ?

and maby make the access list a littlebit smaller

Labels:
0 Helpful
4 Replies 4

mheusing
Cisco Employee
Cisco Employee

‎11-27-2007 05:16 AM

Hi,

The question can be rephrased: How much control do you need?

In case you do not want to control at the prot level you could simply allow the subnet or single hosts to send anything by only specifying IP addresses in the ACL.

Example: access-list 100 permit 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

assuming VPN traffic from 10.1.0.0/16 to 192.168.1.0/24 - your ACL might look different of course.

In case you want control on the port level then there is no other choice, as there is no general rules as to which ports are allowed and which ports are not. You have to define them and maintain them.

More control means more work.

Regards, Martin

guttormure
Level 1
Level 1
In response to mheusing

‎11-27-2007 06:49 AM

well i only want to allow vpn traffic , web browsing and e-mail on this vlan

and i must be able to support various types of vpn clients because this is "public" access

0 Helpful

mheusing
Cisco Employee
Cisco Employee
In response to guttormure

‎11-30-2007 01:48 AM

Hi

I completely misunderstood your task. What you want is to block all traffic except VPN , email and HTTP.

Another solution would be to have an internet proxy setup, which generally allows to regulate traffic in a much more granular way than a LAN switch.

Yet, to my experience there are many different VPN solutions out there, so it will never be an easy task.

What hardware/software do you have for this task? some switches are restricted to port based ACLs and you might not find any other option than doing, what you do.

Regards, Martin

guttormure
Level 1
Level 1
In response to mheusing

‎12-06-2007 01:46 AM

that is one of the problems

these are not all the same model of switches

i have tested access-lists with the ahp esp and gre protocols but they only interact with the authentication not the connection

access-list 199 remark VPN test

access-list 199 deny ahp any any

access-list 199 deny esp any any

access-list 199 deny gre any any

access-list 199 permit ip any any

(note this list was made for testing)

this for example allows me to connect to the vpn but not authenticate

and when i change it into:

access-list 199 remark VPN test

access-list 199 permit ahp any any

access-list 199 permit esp any any

access-list 199 permit gre any any

access-list 199 permit tcp any any eq 23

access-list 199 permit tcp any any eq 80

access-list 199 permit tcp any any eq 110

access-list 199 permit tcp any any eq 25

access-list 199 permit tcp any any eq 22

access-list 199 deny ip any any

i can not connect, probably because the port

on which the VPN connection is trying to connect on is not permitted...

well maybe i have to do this with proxies :(

Kveðja Gutti

Regards Gutti

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card