Edge Router ACL blocking VPN client access

Kevin Melton · ‎12-28-2006

I have a PIX 515E configured at a client site to allow the Sales Force to connect Securely to the VPN client. The problem I am having is that this only works when I drop the ACL on the border router.

When the ACL on the border router is in place inbound on the router's outside interface , the VPN client WILL NOT connect thru it to the 515 behind it.

What ports do I need to permit in the Router's ACL to allow the Cisco VPN client connection attempts to succeed?

I had already tried opening the following:

remark "allow the Cisco VPN client in"

permit tcp any eq 50 any

permit udp any eq isakmp any

permit udp any eq 10000 any

permit esp any host 206.248.224.2

permit ahp any host 206.248.224.2

The public IP addx of our Firewall is 206.248.224.2.

Please help.

thx

pmajumder · ‎12-28-2006

Hello,

Try the following acl:

permit esp any host 206.248.224.2

permit udp any host 206.248.224.2 eq isakmp

permit udp any eq isakmp host 206.248.224.2

permit udp any host 206.248.224.2 eq non500-isakmp

permit udp any host 206.248.224.2 eq 10000

Regards

Pradeep

Kevin Melton · ‎12-28-2006

Thanks.

That did work.

Why did we have to be specific to the host 206.248.224.2 with the statements to make this work?

Also, we did we have to add the statement for "non-isakmp" when it is actuall an ISAKMP tunnel that is launched.

pmajumder · ‎12-28-2006

The non-isakmp is for udp port 4500 which is used for nat traversal. If you don't have a requirement for nat-t then you can drop that line.

As for specifying you just have to ensure that you are allowing inbound traffic TO the other required ports (UDP 500, esp, etc).

ge4sat · ‎12-28-2006

the other thing that was done in your access-list is that you allowed TCP PORT 50. You actually want to Allow Protocol 50. So it would not be TCP.