05-17-2007 11:21 AM - edited 02-21-2020 03:03 PM
When using the following ACL on the router side of a PIX to 2651XM VPN,
no connectivity is established until the Access-Group is dropped from
the FastEthernet0/1 interface - then it comes up and works fine.
.
We need to harden this FE interface as it has a public IP on a router
with IOS support for VPNs.
.
What am I missing?
.
access-list 150 remark Int Fa0/1 security for VPN use
access-list 150 permit ip host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit ahp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit esp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit gre host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit icmp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit igmp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 permit udp host AA.BB.CC.DD host WW.XX.YY.ZZ
access-list 150 deny ip any any
.
interface FastEthernet0/1
ip access-group 150 in
.
Note: host AA.BB.CC.DD is the PIX
host WW.XX.YY.ZZ is the 2651XM
.
05-23-2007 10:17 AM
Looks like Access-list misconfigured,
Refer this link for Router and VPN Client for Public Internet on a Stick Configuration Example:
05-23-2007 10:57 AM
I have reviewed your link and don't see how that allies to my issue - it refers to a dynamic VPN for clients connecting to a router. I need a static point-to-point VPN between sites using a PIX and a router.
.
Let me restate the issue - the current VPN config works when the access-group is removed on the FA0/1 interface - so it's got to be something missing in ACL 150. I think I've opened up all needed protocols on the router side...
05-23-2007 11:15 AM
add log to the end of you acl entry, try the vpn and see what is denied.
access-list 150 deny ip any any log
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: