Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
5
Replies

RA VPN ACL

Go to solution
gandhi.ganesh
Level 1
Level 1

‎11-11-2008 12:57 AM

Hi,

I have configured RA VPN Tunnel, everything is working fine, but now i want to allow only http/www port because vpn client should have access to only my application server, rest of the port needs to be blocked How do I do this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10
In response to gandhi.ganesh

‎11-11-2008 06:52 AM

Your ACL line 2 is totally incorrect.

1) HTTP is a TCP protocol, not UDP

2) You cannot have a source port of www - as this is in the restrcited ports range, your source port will ALWAYS be 1024 to 65535.

re-configure the line to:-

access-list RA-tunnel line 2 extended permit tcp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq www

HTH>

View solution in original post

0 Helpful
5 Replies 5

Go to solution
andrew.prince
Level 10
Level 10

‎11-11-2008 06:12 AM

Check out the below - a good source of config examples:-

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

HTH>

0 Helpful

Go to solution
gandhi.ganesh
Level 1
Level 1
In response to andrew.prince

‎11-11-2008 06:46 AM

Hi Andrew,

I went thru the same site to configure the tunnel & to create the acl for same tunnel.

below the my acl:

anders4883-asa# show access-list RA-tunnel

access-list RA-tunnel; 3 elements

access-list RA-tunnel line 1 extended permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=4) 0xa2541dbe

access-list RA-tunnel line 2 extended permit udp 192.168.1.0 255.255.255.0 eq www 10.0.0.0 255.255.255.0 eq www (hitcnt=0) 0xa7f31d26

access-list RA-tunnel line 3 extended deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=86) 0xa23d5fbf

Where 192.168.1.0/24 is my VPN pool ip & 10.0.0.0/24 is my application server subnet

I want to allow http://10.0.0.90 & icmp also.

rest of the things shold be blocked

Can u send the correct ACL for the same.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to gandhi.ganesh

‎11-11-2008 06:52 AM

Your ACL line 2 is totally incorrect.

1) HTTP is a TCP protocol, not UDP

2) You cannot have a source port of www - as this is in the restrcited ports range, your source port will ALWAYS be 1024 to 65535.

re-configure the line to:-

access-list RA-tunnel line 2 extended permit tcp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq www

HTH>

0 Helpful

Go to solution
gandhi.ganesh
Level 1
Level 1
In response to andrew.prince

‎11-11-2008 07:02 AM

Andrew,

Thx for ur Precious time

its working

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to gandhi.ganesh

‎11-11-2008 07:04 AM

np - glad to help.

0 Helpful
Customers Also Viewed These Support Documents