06-08-2009 12:25 PM - edited 03-04-2019 05:01 AM
Greetings,
I am interested in applying an access-list to a 2811 ISR branch vpn router to block all traffic execept VPN and remote management. Can someone assist me with this. Here is what I have. The VPN comes up just fine but I lose remote management on the outside interface. I manage the router via SSH and or HTTPS from HQ only.
ip access-list extended INTERNETFW
permit esp any any
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any established
permit tcp X.X.X.X 0.0.0.31 eq ssh any
permit udp X.X.X.X 0.0.0.31 eq ssh any
permit tcp X.X.X.X 0.0.0.31 eq 443 any
deny ip any any log
Solved! Go to Solution.
06-08-2009 01:16 PM
Hello Todd,
for accessing SSH on the remote interface you may need a line like
permit tcp x.x.x.x 0.0.0.31 any eq ssh
Actually, the position of the ports counts and the well known port is on the server side.
if the ACL is applied inbound on the outside interface.
the same reasoning for TCP 443
permit tcp x.x.x.x 0.0.0.31 any eq 443
Hope to help
Giuseppe
06-08-2009 01:16 PM
Hello Todd,
for accessing SSH on the remote interface you may need a line like
permit tcp x.x.x.x 0.0.0.31 any eq ssh
Actually, the position of the ports counts and the well known port is on the server side.
if the ACL is applied inbound on the outside interface.
the same reasoning for TCP 443
permit tcp x.x.x.x 0.0.0.31 any eq 443
Hope to help
Giuseppe
06-08-2009 01:20 PM
Yes your correct. I figured it out. I appreciate your feed back. Thank You very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide