Solved

Allowing IPSec through a cisco 1721

Posted on 2004-10-07
4
406 Views
Last Modified: 2010-04-17
Hi,
This must be a really simple question, but i think i am going round in circles.

I am trying to allow a L2TP vpn through my ACL. I have opened up port 1701 udp and tcp, esp, gre, and ahp, but syill cannot get the vpn client to connect. if i remove the acl it connects no problem.

Can anybody shed any light on wha i am blocking?

Cheers
Paul
0
Comment
Question by:beplas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
Dr-IP earned 50 total points
ID: 12254915
My client connects from a random port TCP port to 1723 on the server. You can try opening that up and see if it works, if not, I’d temporarily remove the access and connect to the VPN server and use netstat to see what ports its using. If that doesn’t work I’d then install a packet sniffer like Ethereal and get a trace on it connecting and you should find our what you are missing in your access list.

http://www.ethereal.com/
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12258038
With the "debug ip packet detail command", you have the option to enter the name or number of an access list. Doing that causes the debug command to get focused only on those packets satisfying the access list's statements.  This will show you what is being blocked.  As always, beware of use the debug command since it can generate high CPU load and lots of output.
0
 

Author Comment

by:beplas
ID: 12259253
I tried as suggested, removing the access list, and then running net stat. Unfortunately it showed no udp connections. Ethereal worked, ISAKMP requires 2 ports, UDP 500 and 4500. Both ports are now open and all is working ok.

Thanks for your help.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12260156
I should have noted to try netstat –a, which gets UDP ports too, but sometimes even though it should it still doesn’t tell you everything. Ethereal a great program for dealing with access lists and firewall issues, or any other issue involving IP communication. I know you can use debug on the router, but Ethereal is a lot more user friendly, especially since you can filter out trash that has no bearing on the problem you are working on, and can see the whole conversation in detail.
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 230
Local DNS and Home Routers 4 66
2 routers and 1 public IP Address. 10 68
How do I allow multiple VLANs internet access on a Cisco ASA 5505? 8 78
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question