Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
3
Replies

VPN client through ACL issue

BP
Level 1
Level 1

‎02-13-2006 10:10 AM - edited ‎02-21-2020 02:15 PM

I have been trying to improve the firewall config on a client's router and found a ACL list that I liked on the web problem is that when I apply it, it breaks the clients abilty to use the cisco vpn client, the vpn client gets no error it just does not connect. So I am pretty sure it's something in the ACL config but I am not seeing it with the two attached configs can anybody tell me what I am missing ???

Labels:
Preview file
7 KB
Preview file
3 KB
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎02-14-2006 12:46 AM

hi

Two things which are visible are the IOS code being used on both the routers and a slite difference with the ACL entries in the VPNNOTWORK.txt config file.

access-list 111 remark -- Anti-spoofing BEGIN--------------

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log

access-list 111 deny ip 172.16.0.0 0.15.255.255 any log

access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

access-list 111 deny ip 224.0.0.0 15.255.255.255 any log

access-list 111 deny ip host 0.0.0.0 any log

Try altering the ACL by removing the below statement and check ..

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

regds

0 Helpful

BP
Level 1
Level 1
In response to spremkumar

‎02-14-2006 09:20 AM

Correct on the different IOS version I did update the router but the vpnwork config works just fine with the new IOS.

I did try your suggestion but I still get the same results of the vpn client not connecting. Also I thought that the way I had this written that this filter only applied to incoming packets with a ip of 10.X.X.X and should not affect the internal NAT'ed network?

0 Helpful

venver2006
Level 1
Level 1
In response to BP

‎02-24-2006 02:33 AM

Hai

Pls modify the your spoofing config and check

access-list 111 remark -- Anti-spoofing BEGIN--------------

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log

access-list 111 deny ip 172.16.0.0 0.15.255.255 any log

access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

access-list 111 deny ip 224.0.0.0 15.255.255.255 any log

access-list 111 deny ip host 0.0.0.0 any log

pls add the following acl at end of anti-spoofing config...

access-list 111 permit ip any any log

The config will look like this

access-list 111 remark -- Anti-spoofing BEGIN--------------

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.0.0.0 0.255.255.255 any log

access-list 111 deny ip 169.254.0.0 0.0.255.255 any log

access-list 111 deny ip 172.16.0.0 0.15.255.255 any log

access-list 111 deny ip 192.168.0.0 0.0.255.255 any log

access-list 111 deny ip 224.0.0.0 15.255.255.255 any log

access-list 111 deny ip host 0.0.0.0 any log

access-list 111 permit ip any any log

Thanks

0 Helpful
Customers Also Viewed These Support Documents