Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet Branch VPN Router Security Access-List Assistance

Greetings,

I am interested in applying an access-list to a 2811 ISR branch vpn router to block all traffic execept VPN and remote management. Can someone assist me with this. Here is what I have. The VPN comes up just fine but I lose remote management on the outside interface. I manage the router via SSH and or HTTPS from HQ only.

ip access-list extended INTERNETFW

permit esp any any

permit udp any any eq isakmp

permit icmp any any echo

permit icmp any any echo-reply

permit tcp any any established

permit tcp X.X.X.X 0.0.0.31 eq ssh any

permit udp X.X.X.X 0.0.0.31 eq ssh any

permit tcp X.X.X.X 0.0.0.31 eq 443 any

deny ip any any log

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Internet Branch VPN Router Security Access-List Assistance

Hello Todd,

for accessing SSH on the remote interface you may need a line like

permit tcp x.x.x.x 0.0.0.31 any eq ssh

Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443

permit tcp x.x.x.x 0.0.0.31 any eq 443

Hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Re: Internet Branch VPN Router Security Access-List Assistance

Hello Todd,

for accessing SSH on the remote interface you may need a line like

permit tcp x.x.x.x 0.0.0.31 any eq ssh

Actually, the position of the ports counts and the well known port is on the server side.

if the ACL is applied inbound on the outside interface.

the same reasoning for TCP 443

permit tcp x.x.x.x 0.0.0.31 any eq 443

Hope to help

Giuseppe

New Member

Re: Internet Branch VPN Router Security Access-List Assistance

Yes your correct. I figured it out. I appreciate your feed back. Thank You very much.

108
Views
0
Helpful
2
Replies
CreatePlease login to create content