[c-nsp] VPN blocked from access list

Paul Stewart pauls at nexicom.net
Mon Aug 23 20:35:51 EDT 2004


Below is part of an access list we have implemented at a cable modem
POP.  Works great along with blocking windows ports and crap. :)

The problem is that since I implemented this access list, our cable
techs cannot access our VPN.  

Is what I did below just wrong OR is  it just missing some permit
statements for other icmp types that I missed?

Thanks,

Paul


access-list 100 remark Specifically block ICMP fragments
access-list 100 deny   icmp any any fragments
access-list 100 remark Permit inbound ping.
access-list 100 permit icmp any any echo
access-list 100 remark Permit inbound ping response.
access-list 100 permit icmp any any echo-reply
access-list 100 remark Permit Path MTU to function.
access-list 100 permit icmp any any packet-too-big
access-list 100 remark Permit time exceeded messages for traceroute and
loops.
access-list 100 permit icmp any any time-exceeded
access-list 100 remark And explicitly block all other ICMP packets
access-list 100 deny   icmp any any




More information about the cisco-nsp mailing list