Re: ACL's needed on firewall to allow IPSEC to VPN3000 via clien

zabbas · ‎07-08-2002

I wanted to find out acl's I will need on my firewall to allow the vpn client to connect to a vpn 3000 box via IPSEC ?

I think the first one should be (for the IPSEC key management)..I'm assuming I need this??:

access-list 180 permit udp any host <vpnserver ip address> eq 500

I think there should be one more for the IPSEC Tunnel Encapsulation (protocol 50?) Not sure what acl I need for this one?

edadios · ‎07-08-2002

Here is good link for you.

http://www.cisco.com/warp/customer/471/vpn_3000_faq.shtml#Q3

So the access-list could be like ->access-list 108 permit esp any any.

Regards,

zabbas · ‎07-09-2002

Thanks for the info. Actually do you think it would be better to have :

access-list 108 permit esp any host

Also, with regards to the other ACL I had:

access-list 108 permit udp any host eq 500

Is this necessary for IPSEC, or am I putting this in unecessarily ?

Thanks again.

edadios · ‎07-09-2002

You are correct, you can be more specific.

esp is only for the encapsulation, you would still need the udp 500 for the ike.

So you need both access-list.

Regards,

zabbas · ‎07-15-2002

Thanks...everything is working fine now.

Now all I need to do is solve the problem of prompting users to change their password the first time they log on ith their client....I've got another message posted for that.

ACL's needed on firewall to allow IPSEC to VPN3000 via client ?