Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
0
Helpful
5
Replies

vpn access-list

lyes.ouarti
Level 1
Level 1

‎09-29-2004 02:27 AM - edited ‎02-21-2020 01:22 PM

hi,

i want to restrict access to my peer vpn to allow him to access my server in just ftp service,

but when i do an access-list which allow just ftp, tcp 21, the pix displas a warning message that the vpn could not work properly.

can somebody tells me why? and how can i solve this problem.

thanks.

Labels:
0 Helpful
5 Replies 5

pkajekar
Level 1
Level 1

‎09-29-2004 03:31 AM

Yes. The inbould ACL should also allow IKE and IKAKMP traffic as well.

I am assuming you are using IOS. In IOS, the inbound ACL is evaluavate before and after decryption. With newer release, this is however not the case.

You can refer to

http://cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a008022c2a5.html

for more info on this matter.

Cheers,

~preetham

0 Helpful

lyes.ouarti
Level 1
Level 1
In response to pkajekar

‎09-29-2004 03:39 AM

hi, i am usign finesse(cisco pix firewall,) does it make any difference??

thanks.

0 Helpful

piseli
Level 1
Level 1
In response to lyes.ouarti

‎09-29-2004 08:00 AM

About what access-list are you talking:

1.) The VPN access-list

2.) The global inbount access-list on the outside interface.

3.) The NONAT access-list

Have you tryed this (for Point 1):

access-list VPN permit tcp inside-network inside-netmask PeerNetwork PeerMask eq 20

access-list VPN permit tcp inside-network inside-netmask PeerNetwork PeerMask eq 21

crypto map VPNmap 10 match address VPN

For Point 2:

access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp

access-list acs-outside permit esp host VPNPeer host MyPublicIP

access-list acs-outside permit ah host VPNPeer host MyPublicIP

access-list acs-outside permit tcp PeerNetwork PeerMask inside-network inside-netmask eq 21

access-list acs-outside permit tcp PeerNetwork PeerMask inside-network inside-netmask eq 20

access-group acs-outside in interface outside

You probably do not need the rules for TCP 20

sincerly

Patrick

0 Helpful

lyes.ouarti
Level 1
Level 1
In response to piseli

‎09-30-2004 02:33 AM

hi,

i was talking abouy the vpn access-list

thanks.

0 Helpful

pkajekar
Level 1
Level 1
In response to lyes.ouarti

‎09-29-2004 09:18 PM

In the case of PIX, packets destined to the device are not evaluavate against the inbound ACL.

Have a look at the discussion at

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd5e6ae/2#selected_message

- this will perhaps have answers to your queries.

Cheers,

~preetham

0 Helpful
Customers Also Viewed These Support Documents