02-20-2002 05:55 PM - edited 02-21-2020 11:36 AM
Hi all,
Can someone privide a basic config required to make a 3620 a VPN choke router? I have a 7200 sitting behind it and want to only allow IPSec through.
Thanks in advance,
Best Regards,
Jerry Roy
02-21-2002 07:29 AM
To only allow ipsec traffic to pass through your router, create an ACL on the router similar to:
access-list 101 per udp host < ip address of your remote VPN router> host < ip address of your local VPN router> eq 500
access-list 101 per esp host < ip address of your remote VPN router> host < ip address of your local VPN router>
The above ACL would be helpful for lan-lan tunnels
If you have client based VPN tunnels terminating on the router, then your ACL would look like:
access-list 101 per udp any host < ip address of your local VPN router> eq 500
access-list 101 per esp any host < ip address of your local VPN router> eq 500
Once you have the ACL configured, apply that on the inbound interface on the router. For example , if serial 0/0 is your inbound interface, then it would be:
int serial0/0
ip access-group 101 in
Hope that helps
Jazib
P.S. in the ACL, I allowed ESP which is protocol 50. If you are using AH in your configuration, then you have to allow AH as well which is protocol 51
02-21-2002 08:42 AM
I figured that was all there was. Customers throw out term like "choke router" and I just wanted to be sure there wasn't something I was missing.
Thanks Again Jazib!
BTW, Do you know how to set logging on a Cisco to report via syslog the IP address (and the hostname) the unit has received during a PPPoE or DHCP Session with their ISP? I have a monitoring application that parses syslog messages, modifies a database and then proceeds to ping the newly assigned IP address and watch the latency. NetScreen, Sonicwall, Netopia, Zyxel all do this. I can't seem to make it work on a Cisco. Is it not available?
02-21-2002 10:07 AM
I am not an expert in PPPoE, but I guess you could enable " debug ppp negotiation", and then parse the ip address from the debugs
Hope that helps
02-21-2002 11:22 AM
Hi,
I have done that already it only gives the IP address. I need to also get the routers hostname, is there a way to get the router to send its hostname via syslog?
Thanks,
Jerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide