VPN and ACLs 2

[sikarius]

Hi everybody !!!

I have a little problem with my ACLs and a VPN client. Im try to establish a IPSec tunnel with my Cisco Router 1760. I put some ACLs to filter the traffic come in my LAN but i permit the traffic with destination UDP / 500 and 50, 51 protocol but i cant establish the VPN. When i take off the ACL all works right.

My ACL is:

ip access-list extended ACLInternetIN
permit udp any any eq 500
permit esp any any
permit ahp any any

when i check the ACL with show ip access-list ACLInternetIN i see some matches with permit udp any any eq 500 but any with others ACEs.

Someone could help me?

THANKS A LOT !!!

Certifications:
CCNA, BSCI, BCRAN, BCMSN, MCP

In Progress:
CCNP - Troubleshooting

 

[routerman]

With the ACL applied, check the output from `sh crypto isakmp sa' is it sat at QM_idle?

useful tip for checking and tuning ACL's, add a `deny any any log' at the end and see what gets output to your console port. It may become obvious what has gone wrong.

Also if you apply an inbound ACL you will have to allow the client source address in as well, this is because the packets are decrypted before ACL processing.

If your still stuck post up the relevant bits of config, should be able to see what's going wrong.

 

[mrueckbr]

Please put a "deny ip any any log" as last statement in the acl and try it again. Then check the logger.
What version of IOS do you use, because in version 12.3.8T they changed the acl handling.
It should be working with 12.3.8T or later otherwise you have to additional define the lan traffic.