01-08-2005 12:34 PM - edited 03-02-2019 08:57 PM
I have a 1760 router with the vpn accelerator card. It's primary link is a frame-relay line. We then have a DSL router that is bridged to an additional Ethernet interface on the 1760. This is a backup link.
We plan to use IPSEC over a GRE tunnel through the DSL line.
I also have to use PPPOE to connect to the DSL. That works.
What I want to do is prvent any other internet traffic from getting through the DSL line interface.
I need to allow GRE/IPSEC and the PPPOE through the interface. I also want SSH and possibly telnet.
When I apply the following access-list it seems as if PPPOE stops working. I can't find what ports I need to allow through. Here's the relevant portions of the config.
I thought a simple access-list would be best. I currently have it applied to the ethernet interface, should I apply to the dialer instead? What ports for the pppoe?
Thanks in advance.
vpdn-group pppoe
request-dialin
protocol pppoe
crypto isakmp policy 10
authentication pre-share
group 2
lifetime 80000
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-sha-hmac
mode transport
!
crypto map vpn 110 ipsec-isakmp
set peer (public vpn endpoint)
set transform-set strong
match address 199
!
!
interface Tunnel11
description GRE Tunnel
bandwidth 1024
ip address 10.100.70.2 255.255.255.0
no ip redirects
no ip unreachables
delay 15000
tunnel source Dialer1
tunnel destination (Public IP address of VPN endpoint)
interface Ethernet1/0
description Backup Link to DSL
no ip address
ip access-group 101 in
no ip redirects
no ip unreachables
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
interface Dialer1
description to VPN Backup Link DSL
ip address negotiated
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username@username.com
ppp chap password 7 XXXXX
ppp pap sent-username username@username.com password XXXXX
crypto map vpn
router eigrp 100
network 172.16.0.0
network 192.168.11.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.11.1 190
ip route 0.0.0.0 0.0.0.0 Dialer1 190
ip route (Public IP Address of VPN Endpoint) 255.255.255.255 Dialer1
ip route 172.16.11.0 255.255.255.0 Null0 249
ip route 192.168.11.0 255.255.255.0 Null0 249
Access-list 101 remark Disallow internet traffic
access-list 101 permit icmp any any
access-list 101 permit ip host (Public IP of VPN Endpoint) host (Public IP of Dialer1)
access-list 101 permit gre host (Public IP of VPN Endpoint) host (Public IP of Dialer1)
access-list 101 permit tcp any host (Public IP of Dialer1) eq 22
access-list 101 permit tcp any host (Public IP of Dialer1) eq 23
access-list 199 remark Encryption and GRE Traffic
access-list 199 permit gre host (Public IP of Dialer1) host (Public IP of VPN Endpoint)
access-list 199 permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 199 permit ip 172.16.11.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
01-08-2005 03:14 PM
Hello,
You can try to remove the access-group 101 on the Ethernet 1/0 interface and to configure it on the dialer1 interface. I think it will work better.
Regards,
Tanguy
01-25-2005 02:00 PM
You must apply the access-list to the dialer interface. Please keep in mind access-lists are meant to control IP/TCP/UDP traffic and not PPP. Therefore you do not need to include entries in the access-list for PPPOE as this is not an IP protocol.
Here is a generic access-list you could use and apply it to the dialer interface because this is the interface that IP is bound to.
OUTBOUND
access-list 120 permit gre host SOURCE IP host DESTINATION IP
access-list 120 permit udp host SOURCE IP host DESTINATION IP eq non500-isakmp
access-list 120 permit udp host SOURCE IP host DESTINATION IP eq isakmp
access-list 120 permit esp host SOURCE IP host DESTINATION IP
INBOUND
access-list 121 permit gre host SOURCE IP host DESTINATION IP
access-list 121 permit udp host SOURCE IP host DESTINATION IP eq non500-isakmp
access-list 121 permit esp host SOURCE IP host DESTINATION IP
access-list 121 permit udp host SOURCE IP host DESTINATION IP eq isakmp
access-list 121 permit tcp any any eq 22
01-25-2005 04:10 PM
Yes I was finally able to get this to work and you are totally correct about the pppoe settings. Here's what my access-list looked like for the working configuration. I tried scanning the public address and didn't get much in reply back. I wanted to allow ICMP for testing though.
access-list 101 remark Disallow internet traffic
access-list 101 permit icmp any any
access-list 101 permit ip host X.X.X.X. host Y.Y.Y.Y
access-list 101 permit udp any host Y.Y.Y.Y eq isakmp
access-list 101 permit esp any host Y.Y.Y.Y
access-list 101 permit gre host X.X.X.X host Y.Y.Y.Y
access-list 101 permit tcp any host Y.Y.Y.Y eq 22
access-list 101 deny ip any any
What's the non500-isakmp? Haven't seen that one before.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide