Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn; access list on outside interface allowing encrypted traffic

Hi, i have a question about the access list on the outside interface of a 836 router. We have various routers at our customers site, some are lan2lan, some are vpn client2router.

My question is ; Why do i have to place explicitly the ip addresses of the lan tunnel or vpn client to the access list. Because the encrypted traffic should already be allowed by allowing esp & isakmp.

The access list is set on the outgoing interface with : ip access-group 102 in

access-list 102 remark Incoming Internet via ATM0.1

access-list 102 remark Permit IP Range VPN

access-list 102 permit ip 192.123.32.0 0.0.0.255 192.123.33.0 0.0.0.255

access-list 102 permit ip 14.1.1.0 0.0.0.255 any

access-list 102 permit esp any any

access-list 102 remark Open VPN Ports & Others

access-list 102 permit udp any host x.x.x.x eq isakmp log

I have to explicitly allow 192.123.32.0 (lan range of other side) & 14.1.1.0 (vpn client range) because if i don't i will not be able to reach the network.

The vpn connection is not the problem, just the traffic that is going through it.

For as far as i know, allowing esp & isakmp should be enough.

Can anyone clarify this for me please ?

Tnx

Sebastian

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: vpn; access list on outside interface allowing encrypted tra

1 REPLY
Cisco Employee

Re: vpn; access list on outside interface allowing encrypted tra

276
Views
0
Helpful
1
Replies
CreatePlease to create content