[c-nsp] VPN blocked from access list
Luan Nguyen
luan.nguyen at mci.com
Mon Aug 23 22:44:47 EDT 2004
You probably miss part of the acl. Those listed are just icmp.
To be able to do VPN, you need to know what your techs run...vpn that come
with windows, cisco vpn client...etc. the lazy way out would be just enable
IPSEC, L2TP and PPTP :)
l2tp 1701/udp #Layer Two Tunneling Protocol
pptp 1723/tcp #Point-to-point tunnelling protocol
IPSEC uses udp port 500 for ISAKMP and ESP = protocol 50 might as well allow
AH = protocol 51
Luan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Monday, August 23, 2004 8:36 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN blocked from access list
Below is part of an access list we have implemented at a cable modem
POP. Works great along with blocking windows ports and crap. :)
The problem is that since I implemented this access list, our cable
techs cannot access our VPN.
Is what I did below just wrong OR is it just missing some permit
statements for other icmp types that I missed?
Thanks,
Paul
access-list 100 remark Specifically block ICMP fragments
access-list 100 deny icmp any any fragments
access-list 100 remark Permit inbound ping.
access-list 100 permit icmp any any echo
access-list 100 remark Permit inbound ping response.
access-list 100 permit icmp any any echo-reply
access-list 100 remark Permit Path MTU to function.
access-list 100 permit icmp any any packet-too-big
access-list 100 remark Permit time exceeded messages for traceroute and
loops.
access-list 100 permit icmp any any time-exceeded
access-list 100 remark And explicitly block all other ICMP packets
access-list 100 deny icmp any any
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list