Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

why is no ip-traffic through these config possible ? [cisco 871 router]

hi there,

i'Ve set up an incoming and outgoing acesslist of the fastehernet4 interface (external interface) which only allows ip-traffic over port 500 and 4500 udp to establish vpn over udp.

connecting the easyvpn-server works propperly, only ip-traffic like ping oder dns-lookups is denied.

may the accessliste cause this problem ? is the vpn-tunnel on fe04 terminated ??

sdm extends the accesslist with granting the ip-adresses from the vpn-server access. question: must-have oder security-whole ??

interface FastEthernet4

description $ETH-LAN$

ip address 111.222.333.444 255.255.255.248

ip access-group allow_only_ipsec_in in

ip access-group allow_only_ipsec_out out

duplex auto

speed auto

crypto map SDM_CMAP_1

ip access-list extended allow_only_ipsec_in

permit udp any host 111.222.333.444 eq isakmp

permit udp any host 111.222.333.444 eq non500-isakmp

deny ip any any

ip access-list extended allow_only_ipsec_out

permit udp host 111.222.333.444 eq isakmp any eq isakmp

permit udp host 111.222.333.444 eq non500-isakmp any eq non500-isakmp

deny ip any any

111.222.333.444 stands for the public ip-adresse.

kind regards, martin

1 REPLY
Silver

Re: why is no ip-traffic through these config possible ? [cisco

Martin

Can you also permit esp traffic in the access-list ? Also the order of operation on the interface is access-list first and then IPSec checking and encryption. I would suggest doing GRE over IPSec in this setup.

http://www.cisco.com/warp/public/556/5.html

Let me know if it works otherwise. I am talking theoretically here.

103
Views
0
Helpful
1
Replies