02-20-2002 05:55 PM - edited 02-21-2020 11:36 AM
Hi all,
Can someone privide a basic config required to make a 3620 a VPN choke router? I have a 7200 sitting behind it and want to only allow IPSec through.
Thanks in advance,
Best Regards,
Jerry Roy
02-21-2002 07:29 AM
To only allow ipsec traffic to pass through your router, create an ACL on the router similar to:
access-list 101 per udp host < ip address of your remote VPN router> host < ip address of your local VPN router> eq 500
access-list 101 per esp host < ip address of your remote VPN router> host < ip address of your local VPN router>
The above ACL would be helpful for lan-lan tunnels
If you have client based VPN tunnels terminating on the router, then your ACL would look like:
access-list 101 per udp any host < ip address of your local VPN router> eq 500
access-list 101 per esp any host < ip address of your local VPN router> eq 500
Once you have the ACL configured, apply that on the inbound interface on the router. For example , if serial 0/0 is your inbound interface, then it would be:
int serial0/0
ip access-group 101 in
Hope that helps
Jazib
P.S. in the ACL, I allowed ESP which is protocol 50. If you are using AH in your configuration, then you have to allow AH as well which is protocol 51
02-21-2002 08:42 AM
I figured that was all there was. Customers throw out term like "choke router" and I just wanted to be sure there wasn't something I was missing.
Thanks Again Jazib!
BTW, Do you know how to set logging on a Cisco to report via syslog the IP address (and the hostname) the unit has received during a PPPoE or DHCP Session with their ISP? I have a monitoring application that parses syslog messages, modifies a database and then proceeds to ping the newly assigned IP address and watch the latency. NetScreen, Sonicwall, Netopia, Zyxel all do this. I can't seem to make it work on a Cisco. Is it not available?
02-21-2002 10:07 AM
I am not an expert in PPPoE, but I guess you could enable " debug ppp negotiation", and then parse the ip address from the debugs
Hope that helps
02-21-2002 11:22 AM
Hi,
I have done that already it only gives the IP address. I need to also get the routers hostname, is there a way to get the router to send its hostname via syslog?
Thanks,
Jerry
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: