02-18-2007 04:24 AM - edited 02-21-2020 02:52 PM
Hi,
I have some l2l tunels. I don't use "sysopt connection permit-vpn" command. I prefer to enable required ports for specific source IP. So they can establish VPN tunnel with me.
Recently i have configured remote access vpn.It is work fine...But only when i enable "sysopt connection permit-vpn"
Question:
1. Which ports have to be enabled to get RA VPN work? (without sysopt connection permit-vpn)
2. How can i restrict access of remote clients when they connected to my private network?
thanks
Leo
Solved! Go to Solution.
02-18-2007 05:39 AM
Hi Leo,
When you do not use "sysopt connection...", you have to explicitly permit udp 500, udp 4500 and esp traffic on the outside access-list.
Let's say outside intf public ip address is x.x.x.x and the client pool we are using is y.y.y.0 and you want to allow "only" traffic for port 80 through the tunnel.
On the Outside ACL, you have to put the following statements :
access-list 101 permit udp any host x.x.x.x eq 500
access-list 101 permit udp any host x.x.x.x eq 4500
access-list 101 permit esp any host x.x.x.x
access-list 101 permit tcp y.y.y.0 255.255.255.0
access-list 101 deny ip y.y.y.0 255.255.255.0
*Please rate the post if it helps.
-Kanishka
02-18-2007 05:39 AM
Hi Leo,
When you do not use "sysopt connection...", you have to explicitly permit udp 500, udp 4500 and esp traffic on the outside access-list.
Let's say outside intf public ip address is x.x.x.x and the client pool we are using is y.y.y.0 and you want to allow "only" traffic for port 80 through the tunnel.
On the Outside ACL, you have to put the following statements :
access-list 101 permit udp any host x.x.x.x eq 500
access-list 101 permit udp any host x.x.x.x eq 4500
access-list 101 permit esp any host x.x.x.x
access-list 101 permit tcp y.y.y.0 255.255.255.0
access-list 101 deny ip y.y.y.0 255.255.255.0
*Please rate the post if it helps.
-Kanishka
02-18-2007 10:26 PM
Hi Kanishka,
It is working fine..
Thanks for your help
Leo
02-19-2007 04:10 PM
Hi Kanisha,
Our remote user can connect with Remote Access VPN when he is directly conneted to internet, but when he is behind the office PIX, he can only establish the VPN tunnel but can not access the office intranet. Does this have something to do with access list for the VPN or MTU size on the remote or does the remote PIX also have to set NAT-T on their side as well? What are the symptoms ans solustions for each?
Thanks,
Kaprino
02-19-2007 05:07 PM
Hi Kaprino,
Should I understand that the client connects and is able to access the remote network but loses the connectivity to the local network? If yes, then you need split-tunnel. If you are saying that the client is not able to access the remote network, then you need to check the nat bypass rules on the headend box.
HTH.
Please do rate if it helps.
Regards,
Kamal
02-19-2007 07:52 PM
acutally the VPN works when it outside of the PIX and directly connected to the internet. When the laptop with VPN sofoware is behind the PIX, the laptop is only to establish the VPN tunnel, but can not access the webservers or the DNS server.
THanks,
Kap
02-20-2007 04:22 AM
Hello,
I had the problem.
After enabling crypto isakmp nat-traversal
It is solved.
Hope this will help
Regards
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide