PIX 6.4 allowing pass-through ipsec for windows2003

Unanswered Question
Jun 25th, 2009


I have set up the ipsec between two servers to pass through firewall.

I had to allow both directions from host to host on tcp/udp 500,88 and had to put ip any access-list entry as well to make it work.

the question is: we are using PIX 6.4 and i have not find the command to specify in acl to allow only ip port 50 and 51 I had to open the entire ip protocol.

Could anyone send me a link if there is an option to reduce number of ports for 'permit ip' statement in PIX 6.4.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jliscano Thu, 06/25/2009 - 10:53

To allow port ESP 50 just use:

access-list extended permit ESP any any

To allow port AH 51 just use:

access-list extended permit AH any any

ajanowska1 Thu, 06/25/2009 - 12:24

Worked wonders, thanks a lot, exactly what I was looking for.

Is there a guide on cisco side such as best practice guide for FW ACL's, I can't find anyting concise as of yet.

Thanks for you help, Anna

jliscano Thu, 06/25/2009 - 12:50

Hi Anna. There are several materials referencing on just basic ACL's designs (not specific to FW) but it's pretty much the same concept. The one that I used is from O'Reilly called "Cisco IOS Access List".

Glad I could help.



This Discussion