Link to home
Start Free TrialLog in
Avatar of mfarley
mfarley

asked on

Need simple syntax to update access list

I'm going to update our router's access list to allow UDP/GRE/ESP packets for PTPP and L2TP VPN connections - right now they aren't working because I believe our Cisco 1721 is not letting the proper packets through.  I know how to login and enable, etc -- but I'm a cisco rookie.  Can someone tell me the commands to type to:

-Change the access list to allow:
      -UDP port 500 (IKE)
      -UDP port 1701 (L2TP)
      -UDP port 4500 (NAT-T)
      -IP Protocol gre (47)
      -IP Protocol esp (50)

I believe those are what's needed for both PTPP and L2TP connections.  Below is the router's current config:
User Access Verification

Password:
myRouter>en
Password:
myRouter#show ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(15)T11,  RELEASE SOFTWARE (fc
2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 30-Jan-04 19:56 by nmasa
Image text-base: 0x80008120, data-base: 0x80C53E9C

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

myRouter uptime is 1 week, 21 hours, 19 minutes
System returned to ROM by power-on
System restarted at 12:45:02 PDST Thu Oct 7 2004
System image file is "flash:c1700-sy-mz.122-15.T11.bin"

cisco 1721 (MPC860P) processor (revision 0x300) with 55408K/10128K bytes of memo
ry.
Processor board ID FOC07511JGY (367879939), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

myRouter#show config
Using 2098 out of 29688 bytes
!
! Last configuration change at 08:02:01 PDST Wed May 5 2004
! NVRAM config last updated at 08:08:20 PDST Wed May 5 2004
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myRouter
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$z5SS$llDWYosAw5CTEh4jGC2XU1
!
clock timezone PDST -7
ip subnet-zero
!
!
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 172.24.10.193 172.24.10.199
!
ip dhcp pool elkgrove
   network 172.24.10.192 255.255.255.192
   default-router 172.24.10.193
   option 66 ascii "64.2.21.45"
   lease 7
!
!
!
!
!
interface FastEthernet0
 no ip address
 speed auto
 no cdp enable
!
interface FastEthernet0.2
 description Voice Vlan
 encapsulation dot1Q 2
 ip address 172.24.10.193 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.3
 description WAN DATA Vlan
 encapsulation dot1Q 3
 ip address 67.102.56.241 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface FastEthernet0.4
 description Management Vlan
 encapsulation dot1Q 4
 ip address 172.20.4.169 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface Serial0
 ip address 172.17.7.10 255.255.255.252
 priority-group 3
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
!
access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060
priority-list 3 protocol ip high list 130
priority-list 3 queue-limit 20 20 10 10
no cdp run
!
snmp-server community picnic RO
snmp-server enable traps tty
!
line con 0
 password ****
 login
line aux 0
line vty 0 4
 password ****
 login
!
no scheduler allocate
sntp server 64.2.21.49
end

myRouter#
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mfarley
mfarley

ASKER

access-list 130 permit udp any range 16384 32767 any
access-list 130 permit udp any range 1024 1151 any
access-list 130 permit udp any any eq 2727
access-list 130 permit udp any any eq 2429
access-list 130 permit udp any any eq 2432
access-list 130 permit udp any any eq 5060

What do these mean then?
Avatar of mfarley

ASKER

I thought I had a problem similar to these:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=002543
http://www.ozzu.com/ftopic24354.html
Quote: "Thank you , the problem is solved. You are right. The vendor configured some access-list on the router. After removing it works. May be the 1721 router is not a stateful firewall.. so we need to manually allow incoming return traffic as well. Not sure whether it is right as they don't allow me to view the config"
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mfarley

ASKER

This just demonstrates how well I know Ciscos :/

Thanks guys!

The problem must be with my linksys BEFVP41, even though I turn PPTP Pass-through and L2TP Pass-through "ON/ENABLE" and forward the UDP/TCP ports, I still can't get a VPN through it :(