VPN Soft client authenticates through router to PIX, but no network access

grc · ‎08-27-2004

My problem is similar to others as far as I can successfully make a vpn connection to my PIX firewall. Once connected, I can not access any network resources. The differnece is that I am going through a CISCO 2514 router. This is a test lab that I have where the 2500 router is connected to my DSL isp. The 2nd ethernet interface is plugged into my internal lan. I have removed all access list on the "internet" interface, but that did not seem to solve the problem. I also created an access list that permitted esp as well as ip any any just to test. No luck either. What do I have to do to pass ipsec traffice through a cisco router?

Thanks

jmia · ‎08-27-2004

Did you apply udp access for isakmp, i.e.

access-list 150 permit esp any host 1.2.3.4

access-list 150 permit udp any host 1.2.3.4 eq isakmp

And on your router outside interface bind the above ACL with:

ip access-group 150 in

Let me know if that helps

grc · ‎08-27-2004

Thanks. Below is the access list that is applied inbound on the outside int:

access-list 100 permit icmp any any echo-reply

access-list 100 permit tcp any any established log

access-list 100 permit udp host 216.68.4.10 eq domain any log

access-list 100 permit udp host 216.68.5.10 eq domain any log

access-list 100 permit esp any any log

access-list 100 permit tcp any any eq 50 log

access-list 100 permit tcp any any eq 51 log

access-list 100 permit udp any any eq isakmp log

access-list 100 permit udp any any eq bootpc log

access-list 100 deny ip any any log