Solved

Allowing IPSec through a cisco 1721

Posted on 2004-10-07
4
370 Views
Last Modified: 2010-04-17
Hi,
This must be a really simple question, but i think i am going round in circles.

I am trying to allow a L2TP vpn through my ACL. I have opened up port 1701 udp and tcp, esp, gre, and ahp, but syill cannot get the vpn client to connect. if i remove the acl it connects no problem.

Can anybody shed any light on wha i am blocking?

Cheers
Paul
0
Comment
Question by:beplas
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
Dr-IP earned 50 total points
ID: 12254915
My client connects from a random port TCP port to 1723 on the server. You can try opening that up and see if it works, if not, I’d temporarily remove the access and connect to the VPN server and use netstat to see what ports its using. If that doesn’t work I’d then install a packet sniffer like Ethereal and get a trace on it connecting and you should find our what you are missing in your access list.

http://www.ethereal.com/
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12258038
With the "debug ip packet detail command", you have the option to enter the name or number of an access list. Doing that causes the debug command to get focused only on those packets satisfying the access list's statements.  This will show you what is being blocked.  As always, beware of use the debug command since it can generate high CPU load and lots of output.
0
 

Author Comment

by:beplas
ID: 12259253
I tried as suggested, removing the access list, and then running net stat. Unfortunately it showed no udp connections. Ethereal worked, ISAKMP requires 2 ports, UDP 500 and 4500. Both ports are now open and all is working ok.

Thanks for your help.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12260156
I should have noted to try netstat –a, which gets UDP ports too, but sometimes even though it should it still doesn’t tell you everything. Ethereal a great program for dealing with access lists and firewall issues, or any other issue involving IP communication. I know you can use debug on the router, but Ethereal is a lot more user friendly, especially since you can filter out trash that has no bearing on the problem you are working on, and can see the whole conversation in detail.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now