Re: IOS VPN Access List Question

chris.ames · ‎09-06-2004

I have configured a router to terminate connections from PCs running V4.0.5 of the VPN client. However, on trying to connect to a server on the private side of the network, the connection fails and, on the syslog server, the following messages are logged:

%SEC-6-IPACCESSLOGP: list FastEthernet0/1.78:IN denied tcp 10.10.3.109(2162) (FastEthernet0/1.78 2e36.342e.3233) -> 172.31.251.129(3389), 1 packet

However, the FastEthernet0/1.78:IN access list contains appropriate permit statements prior to the deny any any log-input final entry:

RTR-INET1-01#sh access-list FastEthernet0/1.78:IN

Extended IP access list FastEthernet0/1.78:IN

[output omitted]

990 permit tcp 10.10.3.0 0.0.0.255 host 172.31.251.129 eq 3389

1000 deny ip any any log-input (2706 matches)

Apart from removing the access list from the interface in question, is there anything I have missed out? Removing the access list from the interface is not an option, as this is on one of our Internet connections.

Richard Burts · ‎09-07-2004

This does seem fairly strange. The syntax of the access list part that you posted indicates that the packet should have been permitted if it had gotten to statement 990 but it was denied.

One possible explanation is that there is some deny higher in the list that is stopping the packet not the deny any any at the end.

One suggestion would be to rewrite the access list and put the permit tcp 10.10.3.0 0.0.0.255 host 172.31.251.129 eq 3389 up at the top instead of down at the bottom where it currently is.

Another alternative would be to post the configuration of the interface and of the entire access list so that we could look at them.

HTH

Rick

HTH

Rick

chris.ames · ‎09-08-2004

Rick,

The ACL had a deny on the full class A subnet in ahead of the permit I had added towards the end. Moving the permit to the top had the desired effect.

I should have spotted that one a lot earlier :-)