Cisco Support Community
Community Member

VPN client and ACL issues


I set up a 1720 according to:

--note: ciscomoderator edited url to publicly veiwable version--

and the clients can connect, but they can't do anything else. My inbound access list blocks their traffic. I would really like to keep the ACL tight, and I found that I can let all the vpn traffic through by permitting the VPN pool to the internal network. "Permit ip" I don't really like this solution. Does anybody have any suggestions on how I should do this? My inbound ACL is below. I feel that I am missing something here.



ip access-list extended ACL-in

deny ip any

deny ip any

deny ip any

deny ip any

permit udp host 206.xx.xx.xx eq domain any

permit udp host 206.xx.xx.xx eq domain any

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

permit icmp any any net-unreachable

permit icmp any any host-unreachable

permit icmp any any administratively-prohibited

permit icmp any any packet-too-big

permit tcp any any established

permit udp any eq isakmp host eq isakmp

permit tcp any any eq 22

permit udp host any eq ntp

permit udp host any eq ntp

deny ip any any log



Re: VPN client and ACL issues

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease to create content