[c-nsp] VPN blocked from access list

Voll, Scott Scott.Voll at wesd.org
Mon Aug 23 22:29:02 EDT 2004


If this is your whole ACL then your missing a permit VPN connection.  I think if I remember right IP port 50?  All ACL's end with a deny all. 
 
Scott

	-----Original Message----- 
	From: Paul Stewart [mailto:pauls at nexicom.net] 
	Sent: Mon 8/23/2004 5:35 PM 
	To: cisco-nsp at puck.nether.net 
	Cc: 
	Subject: [c-nsp] VPN blocked from access list
	
	

	Below is part of an access list we have implemented at a cable modem
	POP.  Works great along with blocking windows ports and crap. :)
	
	The problem is that since I implemented this access list, our cable
	techs cannot access our VPN. 
	
	Is what I did below just wrong OR is  it just missing some permit
	statements for other icmp types that I missed?
	
	Thanks,
	
	Paul
	
	
	access-list 100 remark Specifically block ICMP fragments
	access-list 100 deny   icmp any any fragments
	access-list 100 remark Permit inbound ping.
	access-list 100 permit icmp any any echo
	access-list 100 remark Permit inbound ping response.
	access-list 100 permit icmp any any echo-reply
	access-list 100 remark Permit Path MTU to function.
	access-list 100 permit icmp any any packet-too-big
	access-list 100 remark Permit time exceeded messages for traceroute and
	loops.
	access-list 100 permit icmp any any time-exceeded
	access-list 100 remark And explicitly block all other ICMP packets
	access-list 100 deny   icmp any any
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	



More information about the cisco-nsp mailing list