cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
360
Views
0
Helpful
3
Replies

Securing Router VPN with Public IP

danmiller3
Level 1
Level 1

When using the following ACL on the router side of a PIX to 2651XM VPN,

no connectivity is established until the Access-Group is dropped from

the FastEthernet0/1 interface - then it comes up and works fine.

.

We need to harden this FE interface as it has a public IP on a router

with IOS support for VPNs.

.

What am I missing?

.

access-list 150 remark Int Fa0/1 security for VPN use

access-list 150 permit ip host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit ahp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit esp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit gre host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit icmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit igmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 deny ip any any

.

interface FastEthernet0/1

ip access-group 150 in

.

Note: host AA.BB.CC.DD is the PIX

host WW.XX.YY.ZZ is the 2651XM

.

3 Replies 3

Not applicable

Looks like Access-list misconfigured,

Refer this link for Router and VPN Client for Public Internet on a Stick Configuration Example:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

I have reviewed your link and don't see how that allies to my issue - it refers to a dynamic VPN for clients connecting to a router. I need a static point-to-point VPN between sites using a PIX and a router.

.

Let me restate the issue - the current VPN config works when the access-group is removed on the FA0/1 interface - so it's got to be something missing in ACL 150. I think I've opened up all needed protocols on the router side...

add log to the end of you acl entry, try the vpn and see what is denied.

access-list 150 deny ip any any log

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: