Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Securing Router VPN with Public IP

When using the following ACL on the router side of a PIX to 2651XM VPN,

no connectivity is established until the Access-Group is dropped from

the FastEthernet0/1 interface - then it comes up and works fine.

.

We need to harden this FE interface as it has a public IP on a router

with IOS support for VPNs.

.

What am I missing?

.

access-list 150 remark Int Fa0/1 security for VPN use

access-list 150 permit ip host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit ahp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit esp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit gre host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit icmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit igmp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ

access-list 150 deny ip any any

.

interface FastEthernet0/1

ip access-group 150 in

.

Note: host AA.BB.CC.DD is the PIX

host WW.XX.YY.ZZ is the 2651XM

.

3 REPLIES
Anonymous
N/A

Re: Securing Router VPN with Public IP

Looks like Access-list misconfigured,

Refer this link for Router and VPN Client for Public Internet on a Stick Configuration Example:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

New Member

Re: Securing Router VPN with Public IP

I have reviewed your link and don't see how that allies to my issue - it refers to a dynamic VPN for clients connecting to a router. I need a static point-to-point VPN between sites using a PIX and a router.

.

Let me restate the issue - the current VPN config works when the access-group is removed on the FA0/1 interface - so it's got to be something missing in ACL 150. I think I've opened up all needed protocols on the router side...

Green

Re: Securing Router VPN with Public IP

add log to the end of you acl entry, try the vpn and see what is denied.

access-list 150 deny ip any any log

196
Views
0
Helpful
3
Replies
CreatePlease to create content