12-11-2007 09:04 PM - edited 02-21-2020 03:25 PM
Ok, I have a cisco 1721 runing 12.4 advanced enterprise as my firewall/router, and terminates my dial in VPN. The vpn works, however I cannot ping addresses inside the remote lan unless i add the following line in my ACL on the internet facing interface: permit ip any any
I have already allowed udp 500, 4500, and 10000. When I do a show access-list inbound, I show a hitcount for isakmp, but not for 4500 or 10000, and notice an increasing number on the deny ip any any After I ping. Now when I put the permit any any it works. Is this a quick fix if not I will scrub my config and paste it in.
12-18-2007 02:19 PM
Adding permit ip any any generally allows all ip address with any ports thats why you se the count. You will find hit counts for Port 4500 only if you have NAT-T enabled and Port 10,000 for split tunneling.
12-18-2007 05:13 PM
I think I found my issue. I added a line for "permit ESP any any" and it seemed to fix it, even with out the permit ip any any. The funny thing is tho that I am not seeing any counters on the ACL line for permit esp any any but its working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide