Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
0
Helpful
2
Replies

ACL to restrict VPN client traffic (IOS router)

n.oneill
Level 1
Level 1

‎11-12-2004 03:47 AM

Hi

I am having difficulty in restricting traffic from a VPN client. The VPN gateway is an IOS router running 12.2(15)T When I apply "match address VPNcontrol" to the dynamic-map the tunnel fails to establish and debug states "Proxy Identities Not Supported". If I remove the ACL from the dynamic map the tunnel establishes fine. The client is 4.0.5A. The relevant config is as follows:

crypto isakmp policy 8

encr aes 256

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp identity hostname

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group ******

key *****

pool vpnpool

crypto isakmp profile VPNclient

match identity group *****

client authentication list LOCAL

isakmp authorization list LOCALDB

client configuration address initiate

client configuration address respond

!

!

crypto ipsec transform-set strong esp-aes 256 esp-sha-hmac

!

crypto dynamic-map OUTSIDE 50

set transform-set strong

set isakmp-profile VPNclient

match address VPNcontrol

!

!

crypto map OUTSIDE 10 ipsec-isakmp dynamic OUTSIDE

ip access-list extended VPNcontrol

permit icmp x.x.x.x 0.0.0.255 x.x.x.x 0.0.0.255

permit tcp x.x.x.x 0.0.0.255 host x.x.x.x eq x

permit tcp x.x.x.x 0.0.0.255 host x.x.x.x eq x

Any ideas?

Thanks in advance

Labels:
0 Helpful
2 Replies 2

andy-cole
Level 1
Level 1

‎11-12-2004 11:49 AM

This may be of help,

interface Serial0

desc Internet link

ip address 2.3.4.5 255.255.255.252

ip access-group 120 in

ip nat outside

ip inspect lan out

access-list 120 permit esp host any host 2.3.4.5

access-list 120 permit udp host any host 2.3.4.5 eq isakmp

access-list 120 permit ip 172.16.1.0 0.0.0.255 172.16.49.0 0.0.0.255

This is from a configuration which runs Firewall, NAT and VPN client as well as site to site VPN's.

The outside access list on the serial interface has to allow in the ESP and ISAKMP, but also has to allow the un-encrypted traffic through as well.

The 172.16.1.0 subnet is the pool range assigned to the VPN clients. In my case I let any traffic through in this range, but you could restrict it to say Telnet by this ACL.I know if this entry is removed the VPN connects but the user cannot access any services.

Let me know if this resolves your issue, I'd be interested to hear how you get on.

Andy

0 Helpful

n.oneill
Level 1
Level 1
In response to andy-cole

‎11-16-2004 01:45 AM

Thanks for the reply

It seems to ignore the acl for the unencrypted traffic. I know they changed this in 12.3(8)T but I dont know why it does it with the version im running. I also don't really want to rely on the interface ACL method now that they have changed it.

Nick

0 Helpful
Customers Also Viewed These Support Documents