cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
409
Views
0
Helpful
4
Replies

3620 as a VPN Choke router

jerry.roy
Level 1
Level 1

Hi all,

Can someone privide a basic config required to make a 3620 a VPN choke router? I have a 7200 sitting behind it and want to only allow IPSec through.

Thanks in advance,

Best Regards,

Jerry Roy

4 Replies 4

jfrahim
Level 5
Level 5

To only allow ipsec traffic to pass through your router, create an ACL on the router similar to:

access-list 101 per udp host < ip address of your remote VPN router> host < ip address of your local VPN router> eq 500

access-list 101 per esp host < ip address of your remote VPN router> host < ip address of your local VPN router>

The above ACL would be helpful for lan-lan tunnels

If you have client based VPN tunnels terminating on the router, then your ACL would look like:

access-list 101 per udp any host < ip address of your local VPN router> eq 500

access-list 101 per esp any host < ip address of your local VPN router> eq 500

Once you have the ACL configured, apply that on the inbound interface on the router. For example , if serial 0/0 is your inbound interface, then it would be:

int serial0/0

ip access-group 101 in

Hope that helps

Jazib

P.S. in the ACL, I allowed ESP which is protocol 50. If you are using AH in your configuration, then you have to allow AH as well which is protocol 51

I figured that was all there was. Customers throw out term like "choke router" and I just wanted to be sure there wasn't something I was missing.

Thanks Again Jazib!

BTW, Do you know how to set logging on a Cisco to report via syslog the IP address (and the hostname) the unit has received during a PPPoE or DHCP Session with their ISP? I have a monitoring application that parses syslog messages, modifies a database and then proceeds to ping the newly assigned IP address and watch the latency. NetScreen, Sonicwall, Netopia, Zyxel all do this. I can't seem to make it work on a Cisco. Is it not available?

I am not an expert in PPPoE, but I guess you could enable " debug ppp negotiation", and then parse the ip address from the debugs

Hope that helps

Hi,

I have done that already it only gives the IP address. I need to also get the routers hostname, is there a way to get the router to send its hostname via syslog?

Thanks,

Jerry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: