Step 1-6 Ensure Access Control Lists Are Compatible with IPSec

Step 1-6 Ensure Access Control Lists Are Compatible with IPSec

Make certain any existing access lists on VPN device and perimeter router don’t block IPSec traffic. Perimeter routers frequently implement restrictive security policies using ACLs. These policies often deny all inbound traffic that isn’t responding to a specific outbound request. This restriction often blocks inbound IPSec traffic necessary to establish a VPN session.

Specific permit statements must be added to the inbound ACL to allow IPSec traffic. The following ports and protocol access should be left open:

• IKE/ISAKMP UDP port 500/keyword: isakmp

• Encapsulating Security Payload (ESP) IP protocol number 50/keyword: esp

• Authentication Header (AH) IP protocol number 51/keyword: ahp

The first step is to use the show access-lists command to determine if any ACLs will block IPSec traffic.

Assuming an inbound ACL is causing problems, it must be edited, placing entries at the beginning to permit IPSec traffic. The following shows an example of the lines that should be added to Rtr2’s existing ACL 110.

Rtr2# show running-config 
! 
interface Serial 0 
 ip address 10.0.50.2 255.255.255.252 
 ip access-group 110 in 
! 
access-list 110 permit ahp host 10.0.1.21 host 10.0.50.2 
access-list 110 permit esp host 10.0.1.21 host 10.0.50.2 
access-list 110 permit udp host 10.0.1.21 host 10.0.50.2 eq isakmp 
    ---balance of ACL statements---