Solved: Prevent rougue VPN client killing L2L

iholdings · ‎08-07-2008

Greetings,

New to routers using VPN.

I have a rogue host behind our router using a VPN client. Whenever they fire up the client it's knocking down the L2L tunnel we have in place.

On the attached config. - where would I add an ACL entry to block this host from going out - or specifically prevent them on port 500 using the client?

Thanks in advance.

5220 · ‎08-11-2008

Hi,

Since the L2L is built on the outside interface, we will deny the port 500 on the inside interface, thus disabling the ISAKMP for the users:

Instead of your original ACL:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

Add the new one:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny udp any any eq isakmp

access-list 100 permit ip any any

Please rate if this helped.

Regards,

Daniel

View solution in original post

5220 · ‎08-11-2008

Hi,

Since the L2L is built on the outside interface, we will deny the port 500 on the inside interface, thus disabling the ISAKMP for the users:

Instead of your original ACL:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

Add the new one:

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xx 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny udp any any eq isakmp

access-list 100 permit ip any any

Please rate if this helped.

Regards,

Daniel

iholdings · ‎08-11-2008

Thanks Daniel. I instructed the user doing this to stop using the client while at this location using the L2L. I went ahead and added the deny to prevent this happening in the future.