Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Allowing IPSec through a cisco 1721

Posted on 2004-10-07
4
Medium Priority
?
420 Views
Last Modified: 2010-04-17
Hi,
This must be a really simple question, but i think i am going round in circles.

I am trying to allow a L2TP vpn through my ACL. I have opened up port 1701 udp and tcp, esp, gre, and ahp, but syill cannot get the vpn client to connect. if i remove the acl it connects no problem.

Can anybody shed any light on wha i am blocking?

Cheers
Paul
0
Comment
Question by:beplas
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
Dr-IP earned 200 total points
ID: 12254915
My client connects from a random port TCP port to 1723 on the server. You can try opening that up and see if it works, if not, I’d temporarily remove the access and connect to the VPN server and use netstat to see what ports its using. If that doesn’t work I’d then install a packet sniffer like Ethereal and get a trace on it connecting and you should find our what you are missing in your access list.

http://www.ethereal.com/
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12258038
With the "debug ip packet detail command", you have the option to enter the name or number of an access list. Doing that causes the debug command to get focused only on those packets satisfying the access list's statements.  This will show you what is being blocked.  As always, beware of use the debug command since it can generate high CPU load and lots of output.
0
 

Author Comment

by:beplas
ID: 12259253
I tried as suggested, removing the access list, and then running net stat. Unfortunately it showed no udp connections. Ethereal worked, ISAKMP requires 2 ports, UDP 500 and 4500. Both ports are now open and all is working ok.

Thanks for your help.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12260156
I should have noted to try netstat –a, which gets UDP ports too, but sometimes even though it should it still doesn’t tell you everything. Ethereal a great program for dealing with access lists and firewall issues, or any other issue involving IP communication. I know you can use debug on the router, but Ethereal is a lot more user friendly, especially since you can filter out trash that has no bearing on the problem you are working on, and can see the whole conversation in detail.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question