Solved

Need simple syntax to update access list

Posted on 2004-10-15
5
343 Views
Last Modified: 2010-04-17
I'm going to update our router's access list to allow UDP/GRE/ESP packets for PTPP and L2TP VPN connections - right now they aren't working because I believe our Cisco 1721 is not letting the proper packets through.  I know how to login and enable, etc -- but I'm a cisco rookie.  Can someone tell me the commands to type to:

-Change the access list to allow:
      -UDP port 500 (IKE)
      -UDP port 1701 (L2TP)
      -UDP port 4500 (NAT-T)
      -IP Protocol gre (47)
      -IP Protocol esp (50)

I believe those are what's needed for both PTPP and L2TP connections.  Below is the router's current config:
User Access Verification

Password:
myRouter>en
Password:
myRouter#show ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(15)T11,  RELEASE SOFTWARE (fc
2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 30-Jan-04 19:56 by nmasa
Image text-base: 0x80008120, data-base: 0x80C53E9C

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

myRouter uptime is 1 week, 21 hours, 19 minutes
System returned to ROM by power-on
System restarted at 12:45:02 PDST Thu Oct 7 2004
System image file is "flash:c1700-sy-mz.122-15.T11.bin"

cisco 1721 (MPC860P) processor (revision 0x300) with 55408K/10128K bytes of memo
ry.
Processor board ID FOC07511JGY (367879939), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

myRouter#show config
Using 2098 out of 29688 bytes
!
! Last configuration change at 08:02:01 PDST Wed May 5 2004
! NVRAM config last updated at 08:08:20 PDST Wed May 5 2004
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myRouter
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$z5SS$llDWYosAw5CTEh4jGC2XU1
!
clock timezone PDST -7
ip subnet-zero
!
!
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 172.24.10.193 172.24.10.199
!
ip dhcp pool elkgrove
   network 172.24.10.192 255.255.255.192
   default-router 172.24.10.193
   option 66 ascii "64.2.21.45"
   lease 7
!
!
!
!
!
interface FastEthernet0
 no ip address
 speed auto
 no cdp enable
!
interface FastEthernet0.2
 description Voice Vlan
 encapsulation dot1Q 2
 ip address 172.24.10.193 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.3
 description WAN DATA Vlan
 encapsulation dot1Q 3
 ip address 67.102.56.241 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.4
 description Management Vlan
 encapsulation dot1Q 4
 ip address 172.20.4.169 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Serial0
 ip address 172.17.7.10 255.255.255.252
 priority-group 3
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
!
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060
priority-list 3 protocol ip high list 130
priority-list 3 queue-limit 20 20 10 10
no cdp run
!
snmp-server community picnic RO
snmp-server enable traps tty
!
line con 0
 password ****
 login
line aux 0
line vty 0 4
 password ****
 login
!
no scheduler allocate
sntp server 64.2.21.49
end

myRouter#
0
Comment
Question by:mfarley
  • 3
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 175 total points
ID: 12321758
As it stands right now, you have no access-list applied anywhere so no ports are blocked, all ports to all connections are permitted already..
There is nothing to change...
0
 

Author Comment

by:mfarley
ID: 12321780
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060

What do these mean then?
0
 

Author Comment

by:mfarley
ID: 12321803
I thought I had a problem similar to these:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=002543
http://www.ozzu.com/ftopic24354.html
Quote: "Thank you , the problem is solved. You are right. The vendor configured some access-list on the router. After removing it works. May be the 1721 router is not a stateful firewall.. so we need to manually allow incoming return traffic as well. Not sure whether it is right as they don't allow me to view the config"
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 150 total points
ID: 12321830
Access-list 130 is referenced in priority-list 3 and defines what IP traffic gets priority over other IP traffic.  It is not being used to block ports.  As lrmoore said, it is not applied to an interface and therefore all connections are permitted.
0
 

Author Comment

by:mfarley
ID: 12321867
This just demonstrates how well I know Ciscos :/

Thanks guys!

The problem must be with my linksys BEFVP41, even though I turn PPTP Pass-through and L2TP Pass-through "ON/ENABLE" and forward the UDP/TCP ports, I still can't get a VPN through it :(
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now