Internet Branch VPN Router Security Access-List Assistance

Answered Question
Jun 8th, 2009
User Badges:

Greetings,

I am interested in applying an access-list to a 2811 ISR branch vpn router to block all traffic execept VPN and remote management. Can someone assist me with this. Here is what I have. The VPN comes up just fine but I lose remote management on the outside interface. I manage the router via SSH and or HTTPS from HQ only.


ip access-list extended INTERNETFW

permit esp any any

permit udp any any eq isakmp

permit icmp any any echo

permit icmp any any echo-reply

permit tcp any any established

permit tcp X.X.X.X 0.0.0.31 eq ssh any

permit udp X.X.X.X 0.0.0.31 eq ssh any

permit tcp X.X.X.X 0.0.0.31 eq 443 any

deny ip any any log

Correct Answer by Giuseppe Larosa about 7 years 11 months ago

Hello Todd,

for accessing SSH on the remote interface you may need a line like


permit tcp x.x.x.x 0.0.0.31 any eq ssh


Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443


permit tcp x.x.x.x 0.0.0.31 any eq 443


Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Mon, 06/08/2009 - 13:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Todd,

for accessing SSH on the remote interface you may need a line like


permit tcp x.x.x.x 0.0.0.31 any eq ssh


Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443


permit tcp x.x.x.x 0.0.0.31 any eq 443


Hope to help

Giuseppe


TODD BERGMAN Mon, 06/08/2009 - 13:20
User Badges:

Yes your correct. I figured it out. I appreciate your feed back. Thank You very much.

Actions

This Discussion