Solved: Re: Which ports should i enable to get VPN RA worked?

Leo_Stobbe · ‎02-18-2007

Hi,

I have some l2l tunels. I don't use "sysopt connection permit-vpn" command. I prefer to enable required ports for specific source IP. So they can establish VPN tunnel with me.

Recently i have configured remote access vpn.It is work fine...But only when i enable "sysopt connection permit-vpn"

Question:

1. Which ports have to be enabled to get RA VPN work? (without sysopt connection permit-vpn)

2. How can i restrict access of remote clients when they connected to my private network?

thanks

Leo

kaachary · ‎02-18-2007

Hi Leo,

When you do not use "sysopt connection...", you have to explicitly permit udp 500, udp 4500 and esp traffic on the outside access-list.

Let's say outside intf public ip address is x.x.x.x and the client pool we are using is y.y.y.0 and you want to allow "only" traffic for port 80 through the tunnel.

On the Outside ACL, you have to put the following statements :

access-list 101 permit udp any host x.x.x.x eq 500

access-list 101 permit udp any host x.x.x.x eq 4500

access-list 101 permit esp any host x.x.x.x

access-list 101 permit tcp y.y.y.0 255.255.255.0 eq 80

access-list 101 deny ip y.y.y.0 255.255.255.0

*Please rate the post if it helps.

-Kanishka

View solution in original post

kaachary · ‎02-18-2007

Hi Leo,

When you do not use "sysopt connection...", you have to explicitly permit udp 500, udp 4500 and esp traffic on the outside access-list.

Let's say outside intf public ip address is x.x.x.x and the client pool we are using is y.y.y.0 and you want to allow "only" traffic for port 80 through the tunnel.

On the Outside ACL, you have to put the following statements :

access-list 101 permit udp any host x.x.x.x eq 500

access-list 101 permit udp any host x.x.x.x eq 4500

access-list 101 permit esp any host x.x.x.x

access-list 101 permit tcp y.y.y.0 255.255.255.0 eq 80

access-list 101 deny ip y.y.y.0 255.255.255.0

*Please rate the post if it helps.

-Kanishka

Leo_Stobbe · ‎02-18-2007

Hi Kanishka,

It is working fine..

Thanks for your help

Leo

Mrkaprino · ‎02-19-2007

Hi Kanisha,

Our remote user can connect with Remote Access VPN when he is directly conneted to internet, but when he is behind the office PIX, he can only establish the VPN tunnel but can not access the office intranet. Does this have something to do with access list for the VPN or MTU size on the remote or does the remote PIX also have to set NAT-T on their side as well? What are the symptoms ans solustions for each?

Thanks,

Kaprino

Kamal Malhotra · ‎02-19-2007

Hi Kaprino,

Should I understand that the client connects and is able to access the remote network but loses the connectivity to the local network? If yes, then you need split-tunnel. If you are saying that the client is not able to access the remote network, then you need to check the nat bypass rules on the headend box.

HTH.

Please do rate if it helps.

Regards,

Kamal

Mrkaprino · ‎02-19-2007

acutally the VPN works when it outside of the PIX and directly connected to the internet. When the laptop with VPN sofoware is behind the PIX, the laptop is only to establish the VPN tunnel, but can not access the webservers or the DNS server.

THanks,

Kap

Leo_Stobbe · ‎02-20-2007

Hello,

I had the problem.

After enabling crypto isakmp nat-traversal

It is solved.

Hope this will help

Regards

Leo