Internet Branch VPN Router Security Access-List Assistance

Answered Question
Jun 8th, 2009

Greetings,

I am interested in applying an access-list to a 2811 ISR branch vpn router to block all traffic execept VPN and remote management. Can someone assist me with this. Here is what I have. The VPN comes up just fine but I lose remote management on the outside interface. I manage the router via SSH and or HTTPS from HQ only.

ip access-list extended INTERNETFW

permit esp any any

permit udp any any eq isakmp

permit icmp any any echo

permit icmp any any echo-reply

permit tcp any any established

permit tcp X.X.X.X 0.0.0.31 eq ssh any

permit udp X.X.X.X 0.0.0.31 eq ssh any

permit tcp X.X.X.X 0.0.0.31 eq 443 any

deny ip any any log

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 7 months ago

Hello Todd,

for accessing SSH on the remote interface you may need a line like

permit tcp x.x.x.x 0.0.0.31 any eq ssh

Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443

permit tcp x.x.x.x 0.0.0.31 any eq 443

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Mon, 06/08/2009 - 13:16

Hello Todd,

for accessing SSH on the remote interface you may need a line like

permit tcp x.x.x.x 0.0.0.31 any eq ssh

Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443

permit tcp x.x.x.x 0.0.0.31 any eq 443

Hope to help

Giuseppe

TODD BERGMAN Mon, 06/08/2009 - 13:20

Yes your correct. I figured it out. I appreciate your feed back. Thank You very much.

Actions

This Discussion