[c-nsp] VPN blocked from access list
Church, Chuck
cchurch at netcogov.com
Mon Aug 23 22:48:30 EDT 2004
If that's the whole access list, there's probably more not working than
just a VPN. You're only allowing some ICMP through, and nothing else.
If you only want VPN in addition to these ICMP types, you'll need to
open those up. I think for plain vanilla IPSec, you need IP protocol 50
and I think UDP 500 for AH or IKE. If you're doing IPSec over UDP or
TCP, then there's UPD 4500 or TCP 10000, at least for the Cisco client.
PPTP uses I believe GRE and TCP 1723.
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Monday, August 23, 2004 8:36 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN blocked from access list
Below is part of an access list we have implemented at a cable modem
POP. Works great along with blocking windows ports and crap. :)
The problem is that since I implemented this access list, our cable
techs cannot access our VPN.
Is what I did below just wrong OR is it just missing some permit
statements for other icmp types that I missed?
Thanks,
Paul
access-list 100 remark Specifically block ICMP fragments
access-list 100 deny icmp any any fragments
access-list 100 remark Permit inbound ping.
access-list 100 permit icmp any any echo access-list 100 remark Permit
inbound ping response.
access-list 100 permit icmp any any echo-reply access-list 100 remark
Permit Path MTU to function.
access-list 100 permit icmp any any packet-too-big access-list 100
remark Permit time exceeded messages for traceroute and loops.
access-list 100 permit icmp any any time-exceeded access-list 100 remark
And explicitly block all other ICMP packets
access-list 100 deny icmp any any
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
----------------------------------------------------------------------------
NOTE: As of 8/1/2004 my email address has changed to cchurch at netcogov.com
----------------------------------------------------------------------------
More information about the cisco-nsp
mailing list