11-27-2007 02:51 AM - edited 03-05-2019 07:38 PM
i want to know if there is a more simple way to alow VPN trafic on a vlan
the way i'm dooing it now is just alowing varius ports depending on what is needed
and that can lead to some trouble because when i get a user that has a different cliend/port i have to go and add him to the access list so the list is "learning"
so is there a way for me to do this in anny other way that dose not require me to be loging in to the switch so often ?
and maby make the access list a littlebit smaller
11-27-2007 05:16 AM
Hi,
The question can be rephrased: How much control do you need?
In case you do not want to control at the prot level you could simply allow the subnet or single hosts to send anything by only specifying IP addresses in the ACL.
Example: access-list 100 permit 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255
assuming VPN traffic from 10.1.0.0/16 to 192.168.1.0/24 - your ACL might look different of course.
In case you want control on the port level then there is no other choice, as there is no general rules as to which ports are allowed and which ports are not. You have to define them and maintain them.
More control means more work.
Regards, Martin
11-27-2007 06:49 AM
well i only want to allow vpn traffic , web browsing and e-mail on this vlan
and i must be able to support various types of vpn clients because this is "public" access
11-30-2007 01:48 AM
Hi
I completely misunderstood your task. What you want is to block all traffic except VPN , email and HTTP.
Another solution would be to have an internet proxy setup, which generally allows to regulate traffic in a much more granular way than a LAN switch.
Yet, to my experience there are many different VPN solutions out there, so it will never be an easy task.
What hardware/software do you have for this task? some switches are restricted to port based ACLs and you might not find any other option than doing, what you do.
Regards, Martin
12-06-2007 01:46 AM
that is one of the problems
these are not all the same model of switches
i have tested access-lists with the ahp esp and gre protocols but they only interact with the authentication not the connection
access-list 199 remark VPN test
access-list 199 deny ahp any any
access-list 199 deny esp any any
access-list 199 deny gre any any
access-list 199 permit ip any any
(note this list was made for testing)
this for example allows me to connect to the vpn but not authenticate
and when i change it into:
access-list 199 remark VPN test
access-list 199 permit ahp any any
access-list 199 permit esp any any
access-list 199 permit gre any any
access-list 199 permit tcp any any eq 23
access-list 199 permit tcp any any eq 80
access-list 199 permit tcp any any eq 110
access-list 199 permit tcp any any eq 25
access-list 199 permit tcp any any eq 22
access-list 199 deny ip any any
i can not connect, probably because the port
on which the VPN connection is trying to connect on is not permitted...
well maybe i have to do this with proxies :(
Kveðja Gutti
Regards Gutti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide