Solved

Allowing IPSec through a cisco 1721

Posted on 2004-10-07
4
379 Views
Last Modified: 2010-04-17
Hi,
This must be a really simple question, but i think i am going round in circles.

I am trying to allow a L2TP vpn through my ACL. I have opened up port 1701 udp and tcp, esp, gre, and ahp, but syill cannot get the vpn client to connect. if i remove the acl it connects no problem.

Can anybody shed any light on wha i am blocking?

Cheers
Paul
0
Comment
Question by:beplas
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
Dr-IP earned 50 total points
ID: 12254915
My client connects from a random port TCP port to 1723 on the server. You can try opening that up and see if it works, if not, I’d temporarily remove the access and connect to the VPN server and use netstat to see what ports its using. If that doesn’t work I’d then install a packet sniffer like Ethereal and get a trace on it connecting and you should find our what you are missing in your access list.

http://www.ethereal.com/
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12258038
With the "debug ip packet detail command", you have the option to enter the name or number of an access list. Doing that causes the debug command to get focused only on those packets satisfying the access list's statements.  This will show you what is being blocked.  As always, beware of use the debug command since it can generate high CPU load and lots of output.
0
 

Author Comment

by:beplas
ID: 12259253
I tried as suggested, removing the access list, and then running net stat. Unfortunately it showed no udp connections. Ethereal worked, ISAKMP requires 2 ports, UDP 500 and 4500. Both ports are now open and all is working ok.

Thanks for your help.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12260156
I should have noted to try netstat –a, which gets UDP ports too, but sometimes even though it should it still doesn’t tell you everything. Ethereal a great program for dealing with access lists and firewall issues, or any other issue involving IP communication. I know you can use debug on the router, but Ethereal is a lot more user friendly, especially since you can filter out trash that has no bearing on the problem you are working on, and can see the whole conversation in detail.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now