IP Protocols 50 & 51 through ASA Firewall for Nortel VPN Client

Unanswered Question
Nov 14th, 2008


I need to allow protocols 50 & 51 (AH & ESP) through our ASA 5505 Firewall so that our Nortel VPN Client will connect to a remote network.

Can you tell me how I go about this please, are there inspect rules I can add?

There are also UDP ports I need to allow, but I believe UDP is allowed anyway by the implicit allow rule?

Does this implict outgoing rule "allow all IP to any less secure network" on the ASA only include UDP and TCP? can someone confirm this please.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shaw.chris Fri, 11/14/2008 - 08:11

Hi, thanks for the quick reply,

I'm unsure about some of those questions, but we have a Software Nortel VPN Client installed on a couple of laptops which need to connect to a remote network.

Looking at the documentation, I require Protocol 50, 51 and UDP 500 allowed on the Firewall.

I have NAT set up to translate our one External IP address to multiple addresses on the inside.

Could you please also confirm that by default only TCP & UDP is allowed out from the inside on an ASA firewall

Thanks, Chris


As the machines that require to connect to a remote Nortel device, then you only need to make changes to your firewall if you are filtering from the "inside" to the "outside"....which typically most people are not.

Typically in a ASA any "IP" is allowed from a higher security interface to a lower security interface. I say "IP" as this is protocol number 4. Having said that protocl 50 & 51 (ESP & AH) will also be allowed if you are not filtering.

So basically from your site to the remote site should work.


shaw.chris Fri, 11/14/2008 - 08:58


This is what I don't understand,

What does the implicit allow rule from Inside-Outside let through on the ASA?

From your response ESP and AH will also be allowed as well as TCP/UDP but a protocol such as ICMP does not work until I put an inspect rule.

How do I know what is let through and what isn't ?




The reason why ICMP does not respond is it's not "stateful" until you tell the device to inspect it. If you do not want to inspect it, just write an acl for the outside interface allowing which ever icmp types to return into the outside interface.

To know what is allowed and not, the below rules apply:-

1) There is an implicit deny all at the end of EVERY access-list

2) ALL traffic is allowed from a higher security interface to a lower security interface

3) To allow traffic originating from a lower security interface to a higher security interface you need to permit it with an ACL.

Also check your logs....logging is your friend.


risenshine4th Fri, 11/14/2008 - 13:22

Post the logs if you have trouble.

Also, Check that the firewalls on the PC are disabled. Sometimes Norton and McCaffe and others will block returing IPSec Traffic.


imuonagor Wed, 08/26/2009 - 11:49

Hi I don't know if you finally worked around this issue but i'm having the same in my office.

We were not using firewall before and Nortel VPN clients on PCs work well. Then i install a PIX 515 firewall and the VPN will connect then after a little time it disconnects.

Please let me know how you resolved the issue in your network. Thanks a bunch!


This Discussion