Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8670
Views
0
Helpful
6
Replies

VPN access-list

clark-white
Level 1
Level 1

‎07-10-2012 01:49 PM - edited ‎03-11-2019 04:29 PM

folks,

i have a problem with my vpn client not connecting to other corporate vpn server, I have a INBOUND access-list on my router which is permitting only the below access-list. When i remove the below access-list from the interface remote vpn works fine. what other protocols i shld allow.

ip access-list extended test

permit esp any host X.X.X.X

permit udp any eq non500-isakmp host X.X.X.X

permit udp any eq isakmp host X.X.X.X

permit ahp any host X.X.X.X

Labels:
0 Helpful
6 Replies 6

manish arora
Level 6
Level 6

‎07-10-2012 05:03 PM

not quite sure about the Direction of the ports you mentioned above :-

try

permit esp any host X.X.X.X

permit udp any  host X.X.X.X eq non500-isakmp

permit udp any  host X.X.X.X eq isakmp

permit udp any  host X.X.X.X eq 4500

permit ah  any host X.X.X.X

Manish

0 Helpful

clark-white
Level 1
Level 1
In response to manish arora

‎07-10-2012 10:28 PM

folks

The traffic flow is from internet (means to other corporate network) to internal LAN , what i have mentioned above is for the  return  Inbound traffic on the Internet router. For outbound traffic i hvae permitted everything.

thanks

0 Helpful

Karsten Iwen
VIP
VIP

‎07-10-2012 11:23 PM

for the typical IPSec-VPN the following ACEs are enough:

permit udp any host x.x.x.x eq 500 4500 ! ISAKMP and NAT-Traversal

permit esp any host x.x.x.x    ! VPN-Data-Packets when no NAT-Traversal is used

You don't need to allow the protocol AH (Authentication Header), as it is not used for VPNs anymore.

Sent from Cisco Technical Support iPad App

0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-11-2012 03:29 AM

Hi Clarke,

I understand your query. There should not be any issue... the ports looks fine.... It should work....

But we need to have few other ports to be added to work this out.... You just check your logs / do packet capture to check

                                                                                 or

if anything specifically for the vpn client or vpn server specific ports. See for example if a VPN client uses some specific port to get the vpn connection..... If the VPN request comes with some specific source port... then it will not allow.... Also this depends on the VPN client configuration as well.... if u configured the vpn to use udp nat traversal... it should work....

try allowing tcp and udp ports 10000,10001-cisco & 2746-checkpoint/eras vpn clinets.... if not working try allowing the range 1024-65535 for tcp and udp..... and check the hits and get the confirmed....

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to nkarthikeyan

‎07-11-2012 03:33 AM

also it depends on what type of vpn connection u use to connect.... cisco vpn, cisco anyconnect,  something like that...

0 Helpful

clark-white
Level 1
Level 1
In response to nkarthikeyan

‎07-12-2012 03:45 PM

thanks

i will apply the configs and update the post, also by enabling log for acces-list and it will pop in console the port numbers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card