Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

another vpn question

Ok, I have a cisco 1721 runing 12.4 advanced enterprise as my firewall/router, and terminates my dial in VPN. The vpn works, however I cannot ping addresses inside the remote lan unless i add the following line in my ACL on the internet facing interface: permit ip any any

I have already allowed udp 500, 4500, and 10000. When I do a show access-list inbound, I show a hitcount for isakmp, but not for 4500 or 10000, and notice an increasing number on the deny ip any any After I ping. Now when I put the permit any any it works. Is this a quick fix if not I will scrub my config and paste it in.


Re: another vpn question

Adding permit ip any any generally allows all ip address with any ports thats why you se the count. You will find hit counts for Port 4500 only if you have NAT-T enabled and Port 10,000 for split tunneling.

Community Member

Re: another vpn question

I think I found my issue. I added a line for "permit ESP any any" and it seemed to fix it, even with out the permit ip any any. The funny thing is tho that I am not seeing any counters on the ACL line for permit esp any any but its working.

CreatePlease to create content