Solved

Allowing IPSec through a cisco 1721

Posted on 2004-10-07
4
398 Views
Last Modified: 2010-04-17
Hi,
This must be a really simple question, but i think i am going round in circles.

I am trying to allow a L2TP vpn through my ACL. I have opened up port 1701 udp and tcp, esp, gre, and ahp, but syill cannot get the vpn client to connect. if i remove the acl it connects no problem.

Can anybody shed any light on wha i am blocking?

Cheers
Paul
0
Comment
Question by:beplas
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
Dr-IP earned 50 total points
ID: 12254915
My client connects from a random port TCP port to 1723 on the server. You can try opening that up and see if it works, if not, I’d temporarily remove the access and connect to the VPN server and use netstat to see what ports its using. If that doesn’t work I’d then install a packet sniffer like Ethereal and get a trace on it connecting and you should find our what you are missing in your access list.

http://www.ethereal.com/
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12258038
With the "debug ip packet detail command", you have the option to enter the name or number of an access list. Doing that causes the debug command to get focused only on those packets satisfying the access list's statements.  This will show you what is being blocked.  As always, beware of use the debug command since it can generate high CPU load and lots of output.
0
 

Author Comment

by:beplas
ID: 12259253
I tried as suggested, removing the access list, and then running net stat. Unfortunately it showed no udp connections. Ethereal worked, ISAKMP requires 2 ports, UDP 500 and 4500. Both ports are now open and all is working ok.

Thanks for your help.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12260156
I should have noted to try netstat –a, which gets UDP ports too, but sometimes even though it should it still doesn’t tell you everything. Ethereal a great program for dealing with access lists and firewall issues, or any other issue involving IP communication. I know you can use debug on the router, but Ethereal is a lot more user friendly, especially since you can filter out trash that has no bearing on the problem you are working on, and can see the whole conversation in detail.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Span IP Range across two sites via Cisco ASA Site-to-Site VPN 8 51
VIRL IP adress 3 79
Running a 2nd company from the same location 3 58
Cisco Edge Routers for BGP 6 54
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question