Solved

Need simple syntax to update access list

Posted on 2004-10-15
5
354 Views
Last Modified: 2010-04-17
I'm going to update our router's access list to allow UDP/GRE/ESP packets for PTPP and L2TP VPN connections - right now they aren't working because I believe our Cisco 1721 is not letting the proper packets through.  I know how to login and enable, etc -- but I'm a cisco rookie.  Can someone tell me the commands to type to:

-Change the access list to allow:
      -UDP port 500 (IKE)
      -UDP port 1701 (L2TP)
      -UDP port 4500 (NAT-T)
      -IP Protocol gre (47)
      -IP Protocol esp (50)

I believe those are what's needed for both PTPP and L2TP connections.  Below is the router's current config:
User Access Verification

Password:
myRouter>en
Password:
myRouter#show ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(15)T11,  RELEASE SOFTWARE (fc
2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 30-Jan-04 19:56 by nmasa
Image text-base: 0x80008120, data-base: 0x80C53E9C

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

myRouter uptime is 1 week, 21 hours, 19 minutes
System returned to ROM by power-on
System restarted at 12:45:02 PDST Thu Oct 7 2004
System image file is "flash:c1700-sy-mz.122-15.T11.bin"

cisco 1721 (MPC860P) processor (revision 0x300) with 55408K/10128K bytes of memo
ry.
Processor board ID FOC07511JGY (367879939), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

myRouter#show config
Using 2098 out of 29688 bytes
!
! Last configuration change at 08:02:01 PDST Wed May 5 2004
! NVRAM config last updated at 08:08:20 PDST Wed May 5 2004
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myRouter
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$z5SS$llDWYosAw5CTEh4jGC2XU1
!
clock timezone PDST -7
ip subnet-zero
!
!
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 172.24.10.193 172.24.10.199
!
ip dhcp pool elkgrove
   network 172.24.10.192 255.255.255.192
   default-router 172.24.10.193
   option 66 ascii "64.2.21.45"
   lease 7
!
!
!
!
!
interface FastEthernet0
 no ip address
 speed auto
 no cdp enable
!
interface FastEthernet0.2
 description Voice Vlan
 encapsulation dot1Q 2
 ip address 172.24.10.193 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.3
 description WAN DATA Vlan
 encapsulation dot1Q 3
 ip address 67.102.56.241 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.4
 description Management Vlan
 encapsulation dot1Q 4
 ip address 172.20.4.169 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Serial0
 ip address 172.17.7.10 255.255.255.252
 priority-group 3
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
!
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060
priority-list 3 protocol ip high list 130
priority-list 3 queue-limit 20 20 10 10
no cdp run
!
snmp-server community picnic RO
snmp-server enable traps tty
!
line con 0
 password ****
 login
line aux 0
line vty 0 4
 password ****
 login
!
no scheduler allocate
sntp server 64.2.21.49
end

myRouter#
0
Comment
Question by:mfarley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 175 total points
ID: 12321758
As it stands right now, you have no access-list applied anywhere so no ports are blocked, all ports to all connections are permitted already..
There is nothing to change...
0
 

Author Comment

by:mfarley
ID: 12321780
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060

What do these mean then?
0
 

Author Comment

by:mfarley
ID: 12321803
I thought I had a problem similar to these:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=002543
http://www.ozzu.com/ftopic24354.html
Quote: "Thank you , the problem is solved. You are right. The vendor configured some access-list on the router. After removing it works. May be the 1721 router is not a stateful firewall.. so we need to manually allow incoming return traffic as well. Not sure whether it is right as they don't allow me to view the config"
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 150 total points
ID: 12321830
Access-list 130 is referenced in priority-list 3 and defines what IP traffic gets priority over other IP traffic.  It is not being used to block ports.  As lrmoore said, it is not applied to an interface and therefore all connections are permitted.
0
 

Author Comment

by:mfarley
ID: 12321867
This just demonstrates how well I know Ciscos :/

Thanks guys!

The problem must be with my linksys BEFVP41, even though I turn PPTP Pass-through and L2TP Pass-through "ON/ENABLE" and forward the UDP/TCP ports, I still can't get a VPN through it :(
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 question 1 75
How to configure AT&T Netgate with Sonicwall Firewall 24 99
Home wifi - Does it matter what router? 9 98
Upgrading from Sonicwall Tz210 6 56
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question