Solved: Re: VPN Client & CBAC

r-lemaster · ‎02-27-2005

I'm using the Cisco VPN soft client behind a Cisco router running CBAC. What ports need to be open to allow the VPN client to operate correctly?

I'm currently using:

permit esp any any

permit udp any any eq isakmp

andy-cole · ‎02-28-2005

These are required, but you may also need to open up UDP 10000 to support NAT-T if the IPSec has to cross a NAT boundary along its path.

You will also need to allow the VPN client pool address range access to which ever IP ranges they are to use. This is due to the packets passing via the ACL twice, once encrypted using ESP and ISAKMP, then again unencrypted.

So if the VPN client has a pool range of say 10.1.1.0/24 and its to contact only the 10.2.0.0/16 subnet the acl would look like:

ip access-group extended VPNACCESS

permit esp any any

permit udp any any eq isakmp

permit IP 10.1.1.0 0.0.0.255 10.2.0.0 0.0.255.255

Andy

View solution in original post

andy-cole · ‎02-28-2005

These are required, but you may also need to open up UDP 10000 to support NAT-T if the IPSec has to cross a NAT boundary along its path.

You will also need to allow the VPN client pool address range access to which ever IP ranges they are to use. This is due to the packets passing via the ACL twice, once encrypted using ESP and ISAKMP, then again unencrypted.

So if the VPN client has a pool range of say 10.1.1.0/24 and its to contact only the 10.2.0.0/16 subnet the acl would look like:

ip access-group extended VPNACCESS

permit esp any any

permit udp any any eq isakmp

permit IP 10.1.1.0 0.0.0.255 10.2.0.0 0.0.255.255

Andy