>From my experience, most ACL problems are due to:
- applying it on the wrong direction (i.e. you should probably
put it inbound on the interface to the Internet)
- forgetting to allow the other direction as well (i.e. outbound to the Internet)
for the traffic to the Internet
- wrong ordering
Else, your ACL looks correct for me. A 'show access-list' will show the
number of times a ACL line has been triggered. You may also find useful
to add a 'log' keyword on all lines denying traffic just to check whether
a previous line is conflicting with the PPTP traffic.
Hope this helps
-eric
At 15:48 28/06/1999 -0500, Jeff Burson wrote:
>
>Good afternoon,
>
>I'm attempting to set up an appropriate ACL for allowing pptp connections
>to a MS NT pptp/vpn server.
>
>Going thru the documentation, I find that I need to set up an ACL for
>the control channel on TCP/1723. Simple enough:
>
>access-list 102 permit tcp any host x.x.x.x eq 1723
>
>Then, it goes on to say that data packets are transmitted over
>IP using GRE (protocol ID 47) with a GRE protocol field of 0x880B.
>
>I'm not sure how to set up an ACL to permit the data traffic. Sure enough,
>my PPTP users are hitting our VPN server but failing afterwards.
>
>Cisco documentation suggests that an ACL would look something like:
>
>access-list 102 permit gre any host x.x.x.x
>
>However, this doesn't seem to work. Permitting all IP to the pptp server
>does get everything working correctly, but that's not a solution I want
>to use.
>
>Any suggestions? Any input would be appreciated.
>
>cheers,
>
>jeff
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: [EMAIL PROTECTED] Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
