ACL's needed on firewall to allow IPSEC to VPN3000 via client ?

zabbas · ‎07-08-2002

I wanted to find out acl's I will need on my firewall to allow the vpn client to connect to a vpn 3000 box via IPSEC ?

I think the first one should be (for the IPSEC key management)..I'm assuming I need this??:

access-list 180 permit udp any host <vpnserver ip address> eq 500

I think there should be one more for the IPSEC Tunnel Encapsulation (protocol 50?) Not sure what acl I need for this one?

edadios · ‎07-08-2002

Here is good link for you.

http://www.cisco.com/warp/customer/471/vpn_3000_faq.shtml#Q3

So the access-list could be like ->access-list 108 permit esp any any.

Regards,

zabbas · ‎07-09-2002

Thanks for the info. Actually do you think it would be better to have :

access-list 108 permit esp any host

Also, with regards to the other ACL I had:

access-list 108 permit udp any host eq 500

Is this necessary for IPSEC, or am I putting this in unecessarily ?

Thanks again.

edadios · ‎07-09-2002

You are correct, you can be more specific.

esp is only for the encapsulation, you would still need the udp 500 for the ike.

So you need both access-list.

Regards,

zabbas · ‎07-15-2002

Thanks...everything is working fine now.

Now all I need to do is solve the problem of prompting users to change their password the first time they log on ith their client....I've got another message posted for that.