cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
5
Replies

RA VPN ACL

gandhi.ganesh
Level 1
Level 1

Hi,

I have configured RA VPN Tunnel, everything is working fine, but now i want to allow only http/www port because vpn client should have access to only my application server, rest of the port needs to be blocked How do I do this?

1 Accepted Solution

Accepted Solutions

Your ACL line 2 is totally incorrect.

1) HTTP is a TCP protocol, not UDP

2) You cannot have a source port of www - as this is in the restrcited ports range, your source port will ALWAYS be 1024 to 65535.

re-configure the line to:-

access-list RA-tunnel line 2 extended permit tcp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq www

HTH>

View solution in original post

5 Replies 5

andrew.prince
Level 10
Level 10

Check out the below - a good source of config examples:-

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

HTH>

Hi Andrew,

I went thru the same site to configure the tunnel & to create the acl for same tunnel.

below the my acl:

anders4883-asa# show access-list RA-tunnel

access-list RA-tunnel; 3 elements

access-list RA-tunnel line 1 extended permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=4) 0xa2541dbe

access-list RA-tunnel line 2 extended permit udp 192.168.1.0 255.255.255.0 eq www 10.0.0.0 255.255.255.0 eq www (hitcnt=0) 0xa7f31d26

access-list RA-tunnel line 3 extended deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=86) 0xa23d5fbf

Where 192.168.1.0/24 is my VPN pool ip & 10.0.0.0/24 is my application server subnet

I want to allow http://10.0.0.90 & icmp also.

rest of the things shold be blocked

Can u send the correct ACL for the same.

Your ACL line 2 is totally incorrect.

1) HTTP is a TCP protocol, not UDP

2) You cannot have a source port of www - as this is in the restrcited ports range, your source port will ALWAYS be 1024 to 65535.

re-configure the line to:-

access-list RA-tunnel line 2 extended permit tcp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq www

HTH>

Andrew,

Thx for ur Precious time

its working

np - glad to help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: