Cisco Support Community
Community Member

Protocol 50 and 51

Do these protocols need to be "enabled" whether IPSec over UDP or IPSec over TCP are used behind a PAT/NAT device or is it ONLY when they don't have any translation occuring at all like a cable modem or something? Also when you're on a cable modem or something like that how can you really tell if your ISP is blocking these protocols?

It seems we've been getting away with ignoring 50 and 51, but are running into issues were the IPSec SA will timeout when it never should be at all. I wonder if this is why.


Cisco Employee

Re: Protocol 50 and 51

If you're doing IPSec over UDP/TCP then you shouldn't see these protocols, as they'll be inside a UDP/TCP packet.

If you're not doing UDP/TCP encapsulation, you should still be able to build a tunnel to whatever it is you're connecting to, cause this is all done with ISAKMP (UDP 500). If these are being blocked by your ISP, you then won't be able to ping or transfer any data over that tunnel, cause this is all done with protocol 50 and 51 packets. Of course, these are also not handled by a lot of PAT devices, so it may not be that your ISP is blocking it, but rather you're being PAT'd somewhere and this device is dropping them. If you have a valid global IP address though, you probably aren't being PAT'd.

CreatePlease to create content