another vpn question

Unanswered Question
Dec 11th, 2007

Ok, I have a cisco 1721 runing 12.4 advanced enterprise as my firewall/router, and terminates my dial in VPN. The vpn works, however I cannot ping addresses inside the remote lan unless i add the following line in my ACL on the internet facing interface: permit ip any any

I have already allowed udp 500, 4500, and 10000. When I do a show access-list inbound, I show a hitcount for isakmp, but not for 4500 or 10000, and notice an increasing number on the deny ip any any After I ping. Now when I put the permit any any it works. Is this a quick fix if not I will scrub my config and paste it in.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivillegas Tue, 12/18/2007 - 14:19

Adding permit ip any any generally allows all ip address with any ports thats why you se the count. You will find hit counts for Port 4500 only if you have NAT-T enabled and Port 10,000 for split tunneling.

ryancolson Tue, 12/18/2007 - 17:13

I think I found my issue. I added a line for "permit ESP any any" and it seemed to fix it, even with out the permit ip any any. The funny thing is tho that I am not seeing any counters on the ACL line for permit esp any any but its working.


This Discussion