Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACL's needed on firewall to allow IPSEC to VPN3000 via client ?

I wanted to find out acl's I will need on my firewall to allow the vpn client to connect to a vpn 3000 box via IPSEC ?

I think the first one should be (for the IPSEC key management)..I'm assuming I need this??:

access-list 180 permit udp any host <vpnserver ip address> eq 500

I think there should be one more for the IPSEC Tunnel Encapsulation (protocol 50?) Not sure what acl I need for this one?

4 REPLIES
Cisco Employee

Re: ACL's needed on firewall to allow IPSEC to VPN3000 via clien

Here is good link for you.

http://www.cisco.com/warp/customer/471/vpn_3000_faq.shtml#Q3

So the access-list could be like ->access-list 108 permit esp any any.

Regards,

Community Member

Re: ACL's needed on firewall to allow IPSEC to VPN3000 via clien

Thanks for the info. Actually do you think it would be better to have :

access-list 108 permit esp any host

Also, with regards to the other ACL I had:

access-list 108 permit udp any host eq 500

Is this necessary for IPSEC, or am I putting this in unecessarily ?

Thanks again.

Cisco Employee

Re: ACL's needed on firewall to allow IPSEC to VPN3000 via clien

You are correct, you can be more specific.

esp is only for the encapsulation, you would still need the udp 500 for the ike.

So you need both access-list.

Regards,

Community Member

Re: ACL's needed on firewall to allow IPSEC to VPN3000 via clien

Thanks...everything is working fine now.

Now all I need to do is solve the problem of prompting users to change their password the first time they log on ith their client....I've got another message posted for that.

248
Views
0
Helpful
4
Replies
CreatePlease to create content