[c-nsp] VPN blocked from access list

Paul Stewart pauls at nexicom.net
Tue Aug 24 11:25:16 EDT 2004 

Thanks everyone for the replies...

The access-list has a permit ip any any at the end and a number of other
parts.. I should have clarified that there was a lot more to it..

The key portion that was concerning to me was the icmp part.  The techs
are using pptp for VPN (unfortunately) at this time to do internal work
such as timesheets etc.

It looks like the simplest method is to remove the ICMP related of the
access list.  I was hoping to block anything dangerous in ICMP and only
permit "safer" services but that's getting more complicated than what I
had thought.. :)

This POP is a cable modem site so we need to permit everything to
everyone (generally speaking) but we are actively starting to block
135/TCP, 139, 445 etc. that are common for virus spread etc... 

Take care,

Paul




On Mon, 2004-08-23 at 22:29, Voll, Scott wrote:
> If this is your whole ACL then your missing a permit VPN connection. 
> I think if I remember right IP port 50?  All ACL's end with a deny
> all. 
>  
> Scott
>         -----Original Message----- 
>         From: Paul Stewart [mailto:pauls at nexicom.net] 
>         Sent: Mon 8/23/2004 5:35 PM 
>         To: cisco-nsp at puck.nether.net 
>         Cc:
>         Subject: [c-nsp] VPN blocked from access list
>         
>         
>         
>         Below is part of an access list we have implemented at a cable
>         modem
>         POP.  Works great along with blocking windows ports and crap.
>         :)
>         
>         The problem is that since I implemented this access list, our
>         cable
>         techs cannot access our VPN. 
>         
>         Is what I did below just wrong OR is  it just missing some
>         permit
>         statements for other icmp types that I missed?
>         
>         Thanks,
>         
>         Paul
>         
>         
>         access-list 100 remark Specifically block ICMP fragments
>         access-list 100 deny   icmp any any fragments
>         access-list 100 remark Permit inbound ping.
>         access-list 100 permit icmp any any echo
>         access-list 100 remark Permit inbound ping response.
>         access-list 100 permit icmp any any echo-reply
>         access-list 100 remark Permit Path MTU to function.
>         access-list 100 permit icmp any any packet-too-big
>         access-list 100 remark Permit time exceeded messages for
>         traceroute and
>         loops.
>         access-list 100 permit icmp any any time-exceeded
>         access-list 100 remark And explicitly block all other ICMP
>         packets
>         access-list 100 deny   icmp any any
>         
>         
>         _______________________________________________
>         cisco-nsp mailing list  cisco-nsp at puck.nether.net
>         https://puck.nether.net/mailman/listinfo/cisco-nsp
>         archive at http://puck.nether.net/pipermail/cisco-nsp/
>         
>

More information about the cisco-nsp mailing list