07-26-2007 03:40 AM
Hi, I have an issue tying down ports on an ipsec vpn between an asa5510 and a 1801 router. I can get the tunnel up no problem with allowing ip traffic but when I try to tie it down it all goes wrong.
I would appreciate any help on this. I am trying just to allow tcp: http,https and ftp and ICMP also.
Thanks in advance
ciaran
08-01-2007 10:10 AM
You need to configure an access list . Here is an example access-list 100 permit udp any host 10.1.1.25 eq isakmp
08-01-2007 12:08 PM
To allow all the protocols:
object-group service TCP tcp
port-object eq telnet
port-object eq www
port-object eq ftp-data
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq citrix-ica
port-object eq 3389
port-object eq 8080
port-object eq ssh
port-object eq 7070
port-object eq 6080
port-object eq rtsp
port-object eq 8200
port-object eq 2097
port-object eq 5012
port-object eq 990
object-group service UDP udp
port-object eq echo
port-object eq www
port-object eq domain
port-object eq isakmp
port-object eq 4500
port-object eq 10000
access-list 102 extended permit udp any any object-group UDP
access-list 102 extended permit tcp any any object-group TCP
access-list 102 extended permit esp any any
Regards,
Dharmesh Purohit
08-02-2007 01:24 AM
Thanks for the responce Dharmesh. But you can only use object-goups on the asa, on the router (1801) you can not define object-groups. When you try to mix object groups (on the asa) with access lists (on the router) I cannot get the tunnel up.
Any help would be appreciated.
08-06-2007 07:58 PM
On your router you need an acl like so in your outside int acl
access-list 105 permit ahp host remote ip host local ip
access-list 105 permit esp host remote ip host local ip
access-list 105 permit udp host remote ip host local ip eq isakmp
access-list 105 permit udp host remote ip host local ip eq non500-isakmp
access-list 105 permit ip remote internal network 0.0.3.255 local internal network 0.0.7.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: