VPN access list

[jvande]

I just configured some access lists and I am not sure what ports to enable to allow VPN connections through windows 2000 RAS VPN. Can you tell me what ports and protocals I should enable? A sample extended access list would be great.

Thank you,
Josh

 

[pmkincaid]

A basic configuration for allowing VPNs through (this is specific to IPSec VPNs, I'm not exactly sure what ports Win2000 VPNs use, you'll have to either look it up, or sniff the path to see what ports/protocols are being used.)

ip access-list extended VPN-ACCESS
permit udp x.x.x.x y.y.y.y x.x.x.x y.y.y.y eq 500
permit 50 x.x.x.x y.y.y.y x.x.x.x y.y.y.y
permit 51 x.x.x.x y.y.y.y x.x.x.x y.y.y.y
deny ip any any log

You'll have to allow this both inbound and outbound. Its best to specify the specific hosts you are connecting via VPNs with the x.x.x.x y.y.y.y (via a host x.x.x.x), but if you have more than one VPN, at least try and get it down to the subnet (ie do not do a 'permit udp any any eq 500).

Like I said, those protocols (50 and 51) and ports (UDP 500) are specific to IPSec VPNs, they may or may not be the same for Win2k VPNs. But you definately need both protocols and ports, since VPNs operate on different protocols (other than IP, hence the 'permit 50 ...)

Hope this helps,
Paul

 

[Bluecrack]

Standard Windows 2000 VPNs are PPTP based, so they use GRE. I don't recall the protocol number exactly, 47 I think.

 

[pmkincaid]

Yes, GRE is protocol 47.

 

[Guest_imported]

Win 2k usually use

PPTP VPN
protocol 47
tcp port 1723

L2TP VPN
UDP port 500,1701

Good luck
roman@nakhmanson.com