Solved: Internet Branch VPN Router Security Access-List Assistance

TODD BERGMAN · ‎06-08-2009

Greetings,

I am interested in applying an access-list to a 2811 ISR branch vpn router to block all traffic execept VPN and remote management. Can someone assist me with this. Here is what I have. The VPN comes up just fine but I lose remote management on the outside interface. I manage the router via SSH and or HTTPS from HQ only.

ip access-list extended INTERNETFW

permit esp any any

permit udp any any eq isakmp

permit icmp any any echo

permit icmp any any echo-reply

permit tcp any any established

permit tcp X.X.X.X 0.0.0.31 eq ssh any

permit udp X.X.X.X 0.0.0.31 eq ssh any

permit tcp X.X.X.X 0.0.0.31 eq 443 any

deny ip any any log

Giuseppe Larosa · ‎06-08-2009

Hello Todd,

for accessing SSH on the remote interface you may need a line like

permit tcp x.x.x.x 0.0.0.31 any eq ssh

Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443

permit tcp x.x.x.x 0.0.0.31 any eq 443

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-08-2009