12-28-2006 07:14 AM - edited 02-21-2020 02:47 PM
I have a PIX 515E configured at a client site to allow the Sales Force to connect Securely to the VPN client. The problem I am having is that this only works when I drop the ACL on the border router.
When the ACL on the border router is in place inbound on the router's outside interface , the VPN client WILL NOT connect thru it to the 515 behind it.
What ports do I need to permit in the Router's ACL to allow the Cisco VPN client connection attempts to succeed?
I had already tried opening the following:
remark "allow the Cisco VPN client in"
permit tcp any eq 50 any
permit udp any eq isakmp any
permit udp any eq 10000 any
permit esp any host 206.248.224.2
permit ahp any host 206.248.224.2
The public IP addx of our Firewall is 206.248.224.2.
Please help.
thx
12-28-2006 08:01 AM
Hello,
Try the following acl:
permit esp any host 206.248.224.2
permit udp any host 206.248.224.2 eq isakmp
permit udp any eq isakmp host 206.248.224.2
permit udp any host 206.248.224.2 eq non500-isakmp
permit udp any host 206.248.224.2 eq 10000
Regards
Pradeep
12-28-2006 10:48 AM
Thanks.
That did work.
Why did we have to be specific to the host 206.248.224.2 with the statements to make this work?
Also, we did we have to add the statement for "non-isakmp" when it is actuall an ISAKMP tunnel that is launched.
12-28-2006 11:31 AM
The non-isakmp is for udp port 4500 which is used for nat traversal. If you don't have a requirement for nat-t then you can drop that line.
As for specifying you just have to ensure that you are allowing inbound traffic TO the other required ports (UDP 500, esp, etc).
12-28-2006 01:25 PM
the other thing that was done in your access-list is that you allowed TCP PORT 50. You actually want to Allow Protocol 50. So it would not be TCP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide