857 permit IP acl with VPN

Unanswered Question
May 3rd, 2009

My firewall is setup with cbac on lan to public interface and acls inbound from public to lan. When cisco VPN clients connect outbound they authenticate and register fine but only when a permit IP acl from secure host allows me to route. when testing I created udp and tcp range acls to match to get some idea of where packets were coming from however no matches. Can anyone suggest how I can limit inbound ipsec rather than allow ip permit?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 05/04/2009 - 06:28

Your acl can reference just esp and udp/500.

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

If you're allowing clients on the inside out, you can try instead of adding the above to your public acl.

ip inspect name FW isakmp

HTH,

John

Actions

This Discussion