Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to Router VPN Access lists

Hi, I have an issue tying down ports on an ipsec vpn between an asa5510 and a 1801 router. I can get the tunnel up no problem with allowing ip traffic but when I try to tie it down it all goes wrong.

I would appreciate any help on this. I am trying just to allow tcp: http,https and ftp and ICMP also.

Thanks in advance

ciaran

4 REPLIES
New Member

Re: ASA to Router VPN Access lists

You need to configure an access list . Here is an example access-list 100 permit udp any host 10.1.1.25 eq isakmp

Silver

Re: ASA to Router VPN Access lists

To allow all the protocols:

object-group service TCP tcp

port-object eq telnet

port-object eq www

port-object eq ftp-data

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq citrix-ica

port-object eq 3389

port-object eq 8080

port-object eq ssh

port-object eq 7070

port-object eq 6080

port-object eq rtsp

port-object eq 8200

port-object eq 2097

port-object eq 5012

port-object eq 990

object-group service UDP udp

port-object eq echo

port-object eq www

port-object eq domain

port-object eq isakmp

port-object eq 4500

port-object eq 10000

access-list 102 extended permit udp any any object-group UDP

access-list 102 extended permit tcp any any object-group TCP

access-list 102 extended permit esp any any

Regards,

Dharmesh Purohit

New Member

Re: ASA to Router VPN Access lists

Thanks for the responce Dharmesh. But you can only use object-goups on the asa, on the router (1801) you can not define object-groups. When you try to mix object groups (on the asa) with access lists (on the router) I cannot get the tunnel up.

Any help would be appreciated.

New Member

Re: ASA to Router VPN Access lists

On your router you need an acl like so in your outside int acl

access-list 105 permit ahp host remote ip host local ip

access-list 105 permit esp host remote ip host local ip

access-list 105 permit udp host remote ip host local ip eq isakmp

access-list 105 permit udp host remote ip host local ip eq non500-isakmp

access-list 105 permit ip remote internal network 0.0.3.255 local internal network 0.0.7.255

299
Views
0
Helpful
4
Replies