Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
4
Replies

3620 as a VPN Choke router

jerry.roy
Level 1
Level 1

‎02-20-2002 05:55 PM - edited ‎02-21-2020 11:36 AM

Hi all,

Can someone privide a basic config required to make a 3620 a VPN choke router? I have a 7200 sitting behind it and want to only allow IPSec through.

Thanks in advance,

Best Regards,

Jerry Roy

Labels:
0 Helpful
4 Replies 4

jfrahim
Level 5
Level 5

‎02-21-2002 07:29 AM

To only allow ipsec traffic to pass through your router, create an ACL on the router similar to:

access-list 101 per udp host < ip address of your remote VPN router> host < ip address of your local VPN router> eq 500

access-list 101 per esp host < ip address of your remote VPN router> host < ip address of your local VPN router>

The above ACL would be helpful for lan-lan tunnels

If you have client based VPN tunnels terminating on the router, then your ACL would look like:

access-list 101 per udp any host < ip address of your local VPN router> eq 500

access-list 101 per esp any host < ip address of your local VPN router> eq 500

Once you have the ACL configured, apply that on the inbound interface on the router. For example , if serial 0/0 is your inbound interface, then it would be:

int serial0/0

ip access-group 101 in

Hope that helps

Jazib

P.S. in the ACL, I allowed ESP which is protocol 50. If you are using AH in your configuration, then you have to allow AH as well which is protocol 51

0 Helpful

jerry.roy
Level 1
Level 1
In response to jfrahim

‎02-21-2002 08:42 AM

I figured that was all there was. Customers throw out term like "choke router" and I just wanted to be sure there wasn't something I was missing.

Thanks Again Jazib!

BTW, Do you know how to set logging on a Cisco to report via syslog the IP address (and the hostname) the unit has received during a PPPoE or DHCP Session with their ISP? I have a monitoring application that parses syslog messages, modifies a database and then proceeds to ping the newly assigned IP address and watch the latency. NetScreen, Sonicwall, Netopia, Zyxel all do this. I can't seem to make it work on a Cisco. Is it not available?

0 Helpful

jfrahim
Level 5
Level 5
In response to jerry.roy

‎02-21-2002 10:07 AM

I am not an expert in PPPoE, but I guess you could enable " debug ppp negotiation", and then parse the ip address from the debugs

Hope that helps

0 Helpful

jerry.roy
Level 1
Level 1
In response to jfrahim

‎02-21-2002 11:22 AM

Hi,

I have done that already it only gives the IP address. I need to also get the routers hostname, is there a way to get the router to send its hostname via syslog?

Thanks,

Jerry

0 Helpful
Customers Also Viewed These Support Documents