Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need simple syntax to update access list

Posted on 2004-10-15
5
Medium Priority
?
367 Views
Last Modified: 2010-04-17
I'm going to update our router's access list to allow UDP/GRE/ESP packets for PTPP and L2TP VPN connections - right now they aren't working because I believe our Cisco 1721 is not letting the proper packets through.  I know how to login and enable, etc -- but I'm a cisco rookie.  Can someone tell me the commands to type to:

-Change the access list to allow:
      -UDP port 500 (IKE)
      -UDP port 1701 (L2TP)
      -UDP port 4500 (NAT-T)
      -IP Protocol gre (47)
      -IP Protocol esp (50)

I believe those are what's needed for both PTPP and L2TP connections.  Below is the router's current config:
User Access Verification

Password:
myRouter>en
Password:
myRouter#show ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(15)T11,  RELEASE SOFTWARE (fc
2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 30-Jan-04 19:56 by nmasa
Image text-base: 0x80008120, data-base: 0x80C53E9C

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

myRouter uptime is 1 week, 21 hours, 19 minutes
System returned to ROM by power-on
System restarted at 12:45:02 PDST Thu Oct 7 2004
System image file is "flash:c1700-sy-mz.122-15.T11.bin"

cisco 1721 (MPC860P) processor (revision 0x300) with 55408K/10128K bytes of memo
ry.
Processor board ID FOC07511JGY (367879939), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

myRouter#show config
Using 2098 out of 29688 bytes
!
! Last configuration change at 08:02:01 PDST Wed May 5 2004
! NVRAM config last updated at 08:08:20 PDST Wed May 5 2004
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myRouter
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$z5SS$llDWYosAw5CTEh4jGC2XU1
!
clock timezone PDST -7
ip subnet-zero
!
!
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 172.24.10.193 172.24.10.199
!
ip dhcp pool elkgrove
   network 172.24.10.192 255.255.255.192
   default-router 172.24.10.193
   option 66 ascii "64.2.21.45"
   lease 7
!
!
!
!
!
interface FastEthernet0
 no ip address
 speed auto
 no cdp enable
!
interface FastEthernet0.2
 description Voice Vlan
 encapsulation dot1Q 2
 ip address 172.24.10.193 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.3
 description WAN DATA Vlan
 encapsulation dot1Q 3
 ip address 67.102.56.241 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.4
 description Management Vlan
 encapsulation dot1Q 4
 ip address 172.20.4.169 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Serial0
 ip address 172.17.7.10 255.255.255.252
 priority-group 3
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
!
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060
priority-list 3 protocol ip high list 130
priority-list 3 queue-limit 20 20 10 10
no cdp run
!
snmp-server community picnic RO
snmp-server enable traps tty
!
line con 0
 password ****
 login
line aux 0
line vty 0 4
 password ****
 login
!
no scheduler allocate
sntp server 64.2.21.49
end

myRouter#
0
Comment
Question by:mfarley
  • 3
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 700 total points
ID: 12321758
As it stands right now, you have no access-list applied anywhere so no ports are blocked, all ports to all connections are permitted already..
There is nothing to change...
0
 

Author Comment

by:mfarley
ID: 12321780
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060

What do these mean then?
0
 

Author Comment

by:mfarley
ID: 12321803
I thought I had a problem similar to these:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=002543
http://www.ozzu.com/ftopic24354.html
Quote: "Thank you , the problem is solved. You are right. The vendor configured some access-list on the router. After removing it works. May be the 1721 router is not a stateful firewall.. so we need to manually allow incoming return traffic as well. Not sure whether it is right as they don't allow me to view the config"
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 600 total points
ID: 12321830
Access-list 130 is referenced in priority-list 3 and defines what IP traffic gets priority over other IP traffic.  It is not being used to block ports.  As lrmoore said, it is not applied to an interface and therefore all connections are permitted.
0
 

Author Comment

by:mfarley
ID: 12321867
This just demonstrates how well I know Ciscos :/

Thanks guys!

The problem must be with my linksys BEFVP41, even though I turn PPTP Pass-through and L2TP Pass-through "ON/ENABLE" and forward the UDP/TCP ports, I still can't get a VPN through it :(
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question