I am interested in applying an access-list to a 2811 ISR branch vpn router to block all traffic execept VPN and remote management. Can someone assist me with this. Here is what I have. The VPN comes up just fine but I lose remote management on the outside interface. I manage the router via SSH and or HTTPS from HQ only.
ip access-list extended INTERNETFW
permit esp any any
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any established
permit tcp X.X.X.X 0.0.0.31 eq ssh any
permit udp X.X.X.X 0.0.0.31 eq ssh any
permit tcp X.X.X.X 0.0.0.31 eq 443 any
deny ip any any log
for accessing SSH on the remote interface you may need a line like
permit tcp x.x.x.x 0.0.0.31 any eq ssh
Actually, the position of the ports counts and the well known port is on the server side.
if the ACL is applied inbound on the outside interface.
the same reasoning for TCP 443
permit tcp x.x.x.x 0.0.0.31 any eq 443
Hope to help