Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing Router VPN with Public IP

When using the following ACL on the router side of a PIX to 2651XM VPN,

no connectivity is established until the Access-Group is dropped from

the FastEthernet0/1 interface - then it comes up and works fine.

.

We need to harden this FE interface as it has a public IP on a router

with IOS support for VPNs.

.

What am I missing?

.

access-list 150 remark Int Fa0/1 security for VPN use

access-list 150 permit ip host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit ahp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit esp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit gre host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit icmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit igmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 deny ip any any

.

interface FastEthernet0/1

ip access-group 150 in

.

Note:

host AA.BB.CC.DD is the PIX

host WW.XX.YY.ZZ is the 2651XM

.

1 REPLY
New Member

Re: Securing Router VPN with Public IP

You need to allow for ISAKMP traffic.

access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ eq isakmp

access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ eq 4500 (NAT-T)

118
Views
0
Helpful
1
Replies
CreatePlease to create content