Cisco Support Community
Community Member

Communication between routers and VPN concentrators

Anyone know why I'm having a problem setting up a VPN between a Cisco router and a VPN concentrator and using an ACL that restricts by protocol?

I had a VPN set up with a vendor between my 2611 and their PIX and had ACL's like:

permit tcp host x.x.x.x host y.y.y.y eq ftp and when they moved and installed a concentrator this no longer works and we need to use permit ip host x.x.x.x host y.y.y.y with no protocol restrictions.

I have another tunnel set up with a different partner that is the same situation, we were never able to make this work but I have yet another tunnel between my router and my own PIX that works fine when I trim down to only my needed protocols.

Why the problem doing this between two Cisco devices (though not PIX)?

*tunnel comes up but we are unable to complete the FTP login and even get a directory listing. (yes, I know I also need "ftp-data").



Re: Communication between routers and VPN concentrators

I dont know why you're having the problem you're having, but I could suggest a work around so you still had the same restrictions...

for your crypto ACL, use the generic:

permit ip host xxxx host yyyy

then, create another ACL that is more restrictive applied to one of the interfaces that this traffic passes through (probably inbound on the inside interface).

make sense? if you do that, make sure you understand ACL's well and the order of operation.

CreatePlease to create content