Permit ICMP traffic, to support PMTU application support, for a better fragmentation
●
process.
For each private subnet, add a permit rule, with the destination being the private subnet,
●
and the source being any. This traffic will be allowed only if it tunnels under the VPN,
because of the crypto-list.
Define all other traffic (default rule) as deny in order to protect the device from
●
non-secure traffic.
12. Define the Egress access control list to protect the device from sending traffic that is not
allowed to the public interface (optional):
Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE).
●
Note:
If you are using NAT Traversal you also need to open UDP port 4500 and 2070
Note:
Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)
●
Permit ICMP traffic, to support the PMTU application, for a better fragmentation process.
●
For each private subnet add a permit rule, with the source being the private subnet, and
●
the destination being any.
Define all other traffic (default rule) as deny in order to protect the device from sending
●
non-secure traffic.
13. Activate the crypto-list, the Ingress access control list, and the Egress access control list, on
the public interface.
Typical installations
Issue 1.1 June 2005
433