×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Edge Router ACL blocking VPN client access

Unanswered Question
Dec 28th, 2006
User Badges:

I have a PIX 515E configured at a client site to allow the Sales Force to connect Securely to the VPN client. The problem I am having is that this only works when I drop the ACL on the border router.

When the ACL on the border router is in place inbound on the router's outside interface , the VPN client WILL NOT connect thru it to the 515 behind it.

What ports do I need to permit in the Router's ACL to allow the Cisco VPN client connection attempts to succeed?

I had already tried opening the following:

remark "allow the Cisco VPN client in"

permit tcp any eq 50 any

permit udp any eq isakmp any

permit udp any eq 10000 any

permit esp any host 206.248.224.2

permit ahp any host 206.248.224.2

The public IP addx of our Firewall is 206.248.224.2.


Please help.


thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
pmajumder Thu, 12/28/2006 - 08:01
User Badges:

Hello,

Try the following acl:

permit esp any host 206.248.224.2

permit udp any host 206.248.224.2 eq isakmp

permit udp any eq isakmp host 206.248.224.2

permit udp any host 206.248.224.2 eq non500-isakmp

permit udp any host 206.248.224.2 eq 10000


Regards

Pradeep

Kevin Melton Thu, 12/28/2006 - 10:48
User Badges:

Thanks.


That did work.


Why did we have to be specific to the host 206.248.224.2 with the statements to make this work?

Also, we did we have to add the statement for "non-isakmp" when it is actuall an ISAKMP tunnel that is launched.

pmajumder Thu, 12/28/2006 - 11:31
User Badges:

The non-isakmp is for udp port 4500 which is used for nat traversal. If you don't have a requirement for nat-t then you can drop that line.


As for specifying you just have to ensure that you are allowing inbound traffic TO the other required ports (UDP 500, esp, etc).

ge4sat Thu, 12/28/2006 - 13:25
User Badges:

the other thing that was done in your access-list is that you allowed TCP PORT 50. You actually want to Allow Protocol 50. So it would not be TCP.

Actions

This Discussion