[c-nsp] VPN blocked from access list

Church, Chuck cchurch at netcogov.com
Mon Aug 23 22:48:30 EDT 2004 

If that's the whole access list, there's probably more not working than
just a VPN.  You're only allowing some ICMP through, and nothing else.
If you only want VPN in addition to these ICMP types, you'll need to
open those up.  I think for plain vanilla IPSec, you need IP protocol 50
and I think UDP 500 for AH or IKE.  If you're doing IPSec over UDP or
TCP, then there's UPD 4500 or TCP 10000, at least for the Cisco client.
PPTP uses I believe GRE and TCP 1723.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com  <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Monday, August 23, 2004 8:36 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN blocked from access list

Below is part of an access list we have implemented at a cable modem
POP.  Works great along with blocking windows ports and crap. :)

The problem is that since I implemented this access list, our cable
techs cannot access our VPN.  

Is what I did below just wrong OR is  it just missing some permit
statements for other icmp types that I missed?

Thanks,

Paul


access-list 100 remark Specifically block ICMP fragments
access-list 100 deny   icmp any any fragments
access-list 100 remark Permit inbound ping.
access-list 100 permit icmp any any echo access-list 100 remark Permit
inbound ping response.
access-list 100 permit icmp any any echo-reply access-list 100 remark
Permit Path MTU to function.
access-list 100 permit icmp any any packet-too-big access-list 100
remark Permit time exceeded messages for traceroute and loops.
access-list 100 permit icmp any any time-exceeded access-list 100 remark
And explicitly block all other ICMP packets
access-list 100 deny   icmp any any


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


----------------------------------------------------------------------------
 NOTE: As of 8/1/2004 my email address has changed to cchurch at netcogov.com
----------------------------------------------------------------------------

More information about the cisco-nsp mailing list