10-10-2007 08:14 AM - edited 03-03-2019 07:06 PM
I cannot connect to customer VPN using Windows VPN. Customer says their VPN is IPSec L2TP.
I configured 2811 router as follows, but cannot connect:
ip access-list extended Outside
permit tcp 63.146.60.0 0.0.0.255 any eq 22
permit tcp host 64.141.139.190 any eq 22
permit tcp any host 216.109.202.37 eq ftp
permit tcp any host 216.109.202.37 eq ftp-data
permit tcp any host 216.109.202.35 eq www
permit tcp any host 216.109.202.35 eq 443
permit tcp any host 216.109.202.36 eq www
permit tcp any host 216.109.202.36 eq 443
permit tcp any host 216.109.202.34 eq 995
permit tcp any host 216.109.202.34 eq smtp
permit tcp any host 216.109.202.34 eq 587
permit tcp any host 216.109.202.34 eq www
permit tcp any host 216.109.202.34 eq 443
permit gre any any
permit icmp any any echo-reply
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit udp any any eq 1701
permit udp any any eq 1723
deny ip any any log
** Am I missing something here???? **
I would like to connect to VPN using Windows L2TP IPSec connections.
Thanks :-)
10-16-2007 09:37 AM
It supposes to be L2TP IPSec VPN connection. No Cisco VPN client software is being used. Try to configure a router to be able to accept L2TP/IPSEC connections from the Microsoft native Clients. Can you please, as a test, change the access-list on the router (the crypto access list) into the following :
no access-list 110
access-list 110 permit udp host 216.109.202.37 eq 1701 host any any eq 5500
10-17-2007 01:50 AM
Hi,
few things that i can suggest from my experience
- first you have opened enough ports to let the l2tp traffic pass through your router, refer to the below link to get some more info that. one more port you can open is UDP 4500.
http://blogs.technet.com/rrasblog/archive/2006/06/14/435826.aspx
- second thing is that you are using router to control the access, which in my opinion will not act as stateful device so you need to allow the reply to come in from the remote vpn server so you need to alter your ACL applied at incoming interface and allow the VPN traffic from server to come in.
Usually when I am not sure what kind of traffic to be allowed then i try to capture the traffic e.g. check the logs of firewall and if using router (in your case), enable "ip route-cache flow" on the interface and then capture the traffic using "show ip cachle flow | x.x.x.x " this will give clear picture of kind of traffic ( IP address and port number).
so just try to connect the VPN from your desktop and capture the traffic hitting router interface, once confirmed make ACL accordingly.
HTH
rgds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide