Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN access-list

folks,

i have a problem with my vpn client not connecting to other corporate vpn server, I have a INBOUND access-list on my router which is permitting only the below access-list. When i remove the below access-list from the interface remote vpn works fine. what other protocols i shld allow.

ip access-list extended test

permit esp any host X.X.X.X

permit udp any eq non500-isakmp host X.X.X.X

permit udp any eq isakmp host X.X.X.X

permit ahp any host X.X.X.X

Everyone's tags (2)
6 REPLIES

VPN access-list

not quite sure about the Direction of the ports you mentioned above :-

try

permit esp any host X.X.X.X

permit udp any  host X.X.X.X eq non500-isakmp

permit udp any  host X.X.X.X eq isakmp

permit udp any  host X.X.X.X eq 4500

permit ah  any host X.X.X.X

Manish

New Member

VPN access-list

folks

The traffic flow is from internet (means to other corporate network) to internal LAN , what i have mentioned above is for the  return  Inbound traffic on the Internet router. For outbound traffic i hvae permitted everything.

thanks

VIP Purple

Re: VPN access-list

for the typical IPSec-VPN the following ACEs are enough:

permit udp any host x.x.x.x eq 500 4500 ! ISAKMP and NAT-Traversal

permit esp any host x.x.x.x    ! VPN-Data-Packets when no NAT-Traversal is used

You don't need to allow the protocol AH (Authentication Header), as it is not used for VPNs anymore.

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: VPN access-list

Hi Clarke,

I understand your query. There should not be any issue... the ports looks fine.... It should work....

But we need to have few other ports to be added to work this out.... You just check your logs / do packet capture to check

                                                                                 or

if anything specifically for the vpn client or vpn server specific ports. See for example if a VPN client uses some specific port to get the vpn connection..... If the VPN request comes with some specific source port... then it will not allow.... Also this depends on the VPN client configuration as well.... if u configured the vpn to use udp nat traversal... it should work....

try allowing tcp and udp ports 10000,10001-cisco & 2746-checkpoint/eras vpn clinets.... if not working try allowing the range 1024-65535 for tcp and udp..... and check the hits and get the confirmed....

Re: VPN access-list

also it depends on what type of vpn connection u use to connect.... cisco vpn, cisco anyconnect,  something like that...

New Member

Re: VPN access-list

thanks

i will apply the configs and update the post, also by enabling log for acces-list and it will pop in console the port numbers

4095
Views
0
Helpful
6
Replies