857 permit IP acl with VPN

Unanswered Question
May 3rd, 2009
User Badges:

My firewall is setup with cbac on lan to public interface and acls inbound from public to lan. When cisco VPN clients connect outbound they authenticate and register fine but only when a permit IP acl from secure host allows me to route. when testing I created udp and tcp range acls to match to get some idea of where packets were coming from however no matches. Can anyone suggest how I can limit inbound ipsec rather than allow ip permit?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Mon, 05/04/2009 - 06:28
User Badges:
  • Purple, 4500 points or more

Your acl can reference just esp and udp/500.

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

If you're allowing clients on the inside out, you can try instead of adding the above to your public acl.

ip inspect name FW isakmp




This Discussion