eggster34
asked on
Client VPN does not work when ACL is applied.
Hi
I have a cisco 857 router that is set up as a VPN endpoint where my clients should connect with cisco vpn client 4.x.
when I set this access list on the outside interface, my VPN clients cannot even start initiating a vpn session. When I remove this access list , it works perfectly.
What am I missing here? What additional traffic should I allow on my access list for vpn connections to work ok?
Extended IP access list 110
10 permit tcp any any eq telnet (94 matches)
20 permit tcp any host 217.36.x.x eq 4125
30 permit tcp any host 217.36.x.x eq 3389
40 permit tcp any host 217.36.x.x eq 443
50 permit tcp any host 217.36.x.x eq www
60 permit tcp any host 217.36.x.x eq www
70 permit udp host 194.72.x.x eq domain host 217.36.x.x
80 permit udp host 194.72.x.x eq domain host 217.36.x.x
90 permit ip 10.1.0.0 0.0.0.255 any
100 permit ahp any host 217.36.x.x
110 permit esp any host 217.36.x.x
120 permit udp any host 217.36.x.x eq isakmp
130 permit udp any host 217.36.x.x eq non500-isakmp
140 deny ip 192.168.1.0 0.0.0.255 any
150 permit icmp any host 217.36.x.x echo-reply
160 permit icmp any host 217.36.x.x time-exceeded
170 permit icmp any host 217.36.x.x unreachable
180 deny ip 10.0.0.0 0.255.255.255 any
190 deny ip 172.16.0.0 0.15.255.255 any
200 deny ip 192.168.0.0 0.0.255.255 any
210 deny ip 127.0.0.0 0.255.255.255 any
220 deny ip host 255.255.255.255 any
230 deny ip host 0.0.0.0 any
240 deny ip any any log (1099 matches)
I have a cisco 857 router that is set up as a VPN endpoint where my clients should connect with cisco vpn client 4.x.
when I set this access list on the outside interface, my VPN clients cannot even start initiating a vpn session. When I remove this access list , it works perfectly.
What am I missing here? What additional traffic should I allow on my access list for vpn connections to work ok?
Extended IP access list 110
10 permit tcp any any eq telnet (94 matches)
20 permit tcp any host 217.36.x.x eq 4125
30 permit tcp any host 217.36.x.x eq 3389
40 permit tcp any host 217.36.x.x eq 443
50 permit tcp any host 217.36.x.x eq www
60 permit tcp any host 217.36.x.x eq www
70 permit udp host 194.72.x.x eq domain host 217.36.x.x
80 permit udp host 194.72.x.x eq domain host 217.36.x.x
90 permit ip 10.1.0.0 0.0.0.255 any
100 permit ahp any host 217.36.x.x
110 permit esp any host 217.36.x.x
120 permit udp any host 217.36.x.x eq isakmp
130 permit udp any host 217.36.x.x eq non500-isakmp
140 deny ip 192.168.1.0 0.0.0.255 any
150 permit icmp any host 217.36.x.x echo-reply
160 permit icmp any host 217.36.x.x time-exceeded
170 permit icmp any host 217.36.x.x unreachable
180 deny ip 10.0.0.0 0.255.255.255 any
190 deny ip 172.16.0.0 0.15.255.255 any
200 deny ip 192.168.0.0 0.0.255.255 any
210 deny ip 127.0.0.0 0.255.255.255 any
220 deny ip host 255.255.255.255 any
230 deny ip host 0.0.0.0 any
240 deny ip any any log (1099 matches)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.