Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Prevent rougue VPN client killing L2L

Greetings,

New to routers using VPN.

I have a rogue host behind our router using a VPN client. Whenever they fire up the client it's knocking down the L2L tunnel we have in place.

On the attached config. - where would I add an ACL entry to block this host from going out - or specifically prevent them on port 500 using the client?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Prevent rougue VPN client killing L2L

Hi,

Since the L2L is built on the outside interface, we will deny the port 500 on the inside interface, thus disabling the ISAKMP for the users:

Instead of your original ACL:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

Add the new one:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny udp any any eq isakmp

access-list 100 permit ip any any

Please rate if this helped.

Regards,

Daniel

2 REPLIES

Re: Prevent rougue VPN client killing L2L

Hi,

Since the L2L is built on the outside interface, we will deny the port 500 on the inside interface, thus disabling the ISAKMP for the users:

Instead of your original ACL:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

Add the new one:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny udp any any eq isakmp

access-list 100 permit ip any any

Please rate if this helped.

Regards,

Daniel

Community Member

Re: Prevent rougue VPN client killing L2L

Thanks Daniel. I instructed the user doing this to stop using the client while at this location using the L2L. I went ahead and added the deny to prevent this happening in the future.

147
Views
0
Helpful
2
Replies
CreatePlease to create content