topic Re: VPN access-list in Network Security

VPN access-list

clark-white — Mon, 11 Mar 2019 23:29:27 GMT

folks,

i have a problem with my vpn client not connecting to other corporate vpn server, I have a INBOUND access-list on my router which is permitting only the below access-list. When i remove the below access-list from the interface remote vpn works fine. what other protocols i shld allow.

ip access-list extended test

permit esp any host X.X.X.X

permit udp any eq non500-isakmp host X.X.X.X

permit udp any eq isakmp host X.X.X.X

permit ahp any host X.X.X.X

VPN access-list

manish arora — Wed, 11 Jul 2012 00:03:48 GMT

not quite sure about the Direction of the ports you mentioned above :-

try

permit esp any host X.X.X.X

permit udp any host X.X.X.X eq non500-isakmp

permit udp any host X.X.X.X eq isakmp

permit udp any host X.X.X.X eq 4500

permit ah any host X.X.X.X

Manish

VPN access-list

clark-white — Wed, 11 Jul 2012 05:28:08 GMT

folks

The traffic flow is from internet (means to other corporate network) to internal LAN , what i have mentioned above is for the return Inbound traffic on the Internet router. For outbound traffic i hvae permitted everything.

thanks

Re: VPN access-list

Karsten Iwen — Wed, 11 Jul 2012 06:23:09 GMT

for the typical IPSec-VPN the following ACEs are enough:

permit udp any host x.x.x.x eq 500 4500 ! ISAKMP and NAT-Traversal

permit esp any host x.x.x.x ! VPN-Data-Packets when no NAT-Traversal is used

You don't need to allow the protocol AH (Authentication Header), as it is not used for VPNs anymore.

Sent from Cisco Technical Support iPad App

Re: VPN access-list

nkarthikeyan — Wed, 11 Jul 2012 10:29:01 GMT

Hi Clarke,

I understand your query. There should not be any issue... the ports looks fine.... It should work....

But we need to have few other ports to be added to work this out.... You just check your logs / do packet capture to check

if anything specifically for the vpn client or vpn server specific ports. See for example if a VPN client uses some specific port to get the vpn connection..... If the VPN request comes with some specific source port... then it will not allow.... Also this depends on the VPN client configuration as well.... if u configured the vpn to use udp nat traversal... it should work....

try allowing tcp and udp ports 10000,10001-cisco & 2746-checkpoint/eras vpn clinets.... if not working try allowing the range 1024-65535 for tcp and udp..... and check the hits and get the confirmed....

Re: VPN access-list

nkarthikeyan — Wed, 11 Jul 2012 10:33:45 GMT

also it depends on what type of vpn connection u use to connect.... cisco vpn, cisco anyconnect, something like that...

Re: VPN access-list

clark-white — Thu, 12 Jul 2012 22:45:58 GMT

thanks

i will apply the configs and update the post, also by enabling log for acces-list and it will pop in console the port numbers