IOS SSL VPN and Thin Client

Chuan Liu · ‎01-21-2010

Hi All,

I have setup SSL VPN on a border C871 with port forwarding for Telnet and ssh access to inside C3845 routers. The inside router has ACL enabled to controll access on vty lines. When I remove the ACL, I can successfully telnet 127.0.0.1 3000 from local PC to the inside router. When the ACL is enabled, I cannot access the router. One would think this is normal. But the problem is there even if I have a 'permit any' statement in the ACL to allow any access. Here is the script:

-------------------------

access-list 99 permit any

line vty 0 4

access-class 99 in

transport input all

!

--------------------------

C871 is in version c870-advipservicesk9-mz.124-15.T9.bin; and C3845 is in c3845-advipservicesk9-mz.124-9.T7.bin.

Any ideas on this would be appreciated.

Thanks.

Chuan

james.bastnagel · ‎01-22-2010

Chuan,

Can you post a copy of the ACL itself and confirm what port you are using for telnet access? From your post it appears that you may be using port 3000, but I am unclear on that piece.

James

Chuan Liu · ‎01-25-2010

Hi James,

I cannot access even when the ACL has only one statement: access-list 99 per any.

In the SSL VPN router, port 3000 is defined for ssh.

port-forward "Core01"
local-port 3000 remote-server "192.168.179.193" remote-port 22

When connected from Laptop to the SSL VPN router, I telnet on 127.0.0.1 3000 from DOS prompt.

When the above ACL is removed, the telnet is working.

Thanks for your idea,

Chuan