Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

BP
New Member

VPN client through ACL issue

I have been trying to improve the firewall config on a client's router and found a ACL list that I liked on the web problem is that when I apply it, it breaks the clients abilty to use the cisco vpn client, the vpn client gets no error it just does not connect. So I am pretty sure it's something in the ACL config but I am not seeing it with the two attached configs can anybody tell me what I am missing ???

3 REPLIES

Re: VPN client through ACL issue

hi

Two things which are visible are the IOS code being used on both the routers and a slite difference with the ACL entries in the VPNNOTWORK.txt config file.

access-list 111 remark -- Anti-spoofing BEGIN--------------

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log

access-list 111 deny ip 172.16.0.0 0.15.255.255 any log

access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

access-list 111 deny ip 224.0.0.0 15.255.255.255 any log

access-list 111 deny ip host 0.0.0.0 any log

Try altering the ACL by removing the below statement and check ..

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

regds

BP
New Member

Re: VPN client through ACL issue

Correct on the different IOS version I did update the router but the vpnwork config works just fine with the new IOS.

I did try your suggestion but I still get the same results of the vpn client not connecting. Also I thought that the way I had this written that this filter only applied to incoming packets with a ip of 10.X.X.X and should not affect the internal NAT'ed network?

New Member

Re: VPN client through ACL issue

Hai

Pls modify the your spoofing config and check

access-list 111 remark -- Anti-spoofing BEGIN--------------

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log

access-list 111 deny ip 172.16.0.0 0.15.255.255 any log

access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

access-list 111 deny ip 224.0.0.0 15.255.255.255 any log

access-list 111 deny ip host 0.0.0.0 any log

pls add the following acl at end of anti-spoofing config...

access-list 111 permit ip any any log

The config will look like this

access-list 111 remark -- Anti-spoofing BEGIN--------------

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log

access-list 111 deny ip 172.16.0.0 0.15.255.255 any log

access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

access-list 111 deny ip 224.0.0.0 15.255.255.255 any log

access-list 111 deny ip host 0.0.0.0 any log

access-list 111 permit ip any any log

Thanks

105
Views
0
Helpful
3
Replies