Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to allow port 50,51,500 for IPSec peering

How to create access list to allow the 3 ports through an interface where IPSec functions?

If I don't specify an access list, are the 3 ports denied by default on the interface? I have seen some IPSec configs with no access list for the 3 ports.

Thanks

Gary

5 REPLIES
Gold

Re: How to allow port 50,51,500 for IPSec peering

just wondering what sort of device you are referring to.

with pix, there is no need; whereas with router, the inbound acl needs to be configured in permitting udp 500, udp 4500, and (potentially) esp.

further, the remote subnet is also needed to be part of the inbound acl.

New Member

Re: How to allow port 50,51,500 for IPSec peering

The 50 and 51 you're referring to aren't TCP or UDP ports, they're the IP protocol numbers for ESP and AH, respectively. ESP and AH are layer 4 protocols, on the same level as TCP (IP proto 6) and UDP (IP proto 17). At any rate, you don't have to allow them into the external (i.e. client-facing) interface on a PIX/ASA/router with an access list, you just have to enable IKE (ISAKMP) on the interface. If you have something in front of the external interface filtering traffic, you'll have to make sure that IPSec traffic is permitted through that device, however (e.g. a PIX in front of a VPN concentrator where the concentrator is the VPN server for remote clients). However, if NAT is happening anywhere in between the client and the server, you should be using IPSec NAT Traversal (NAT-T), and you don't have to permit IP proto 50 (and/or 51), you just have to permit UDP/500 (IKE) and UDP/4500 (NAT-T) to the VPN server.

New Member

Re: How to allow port 50,51,500 for IPSec peering

Just to add,

If it is two way IPSec VPN tunnel then access require on both direction whether its router/pix/asa with

Protocol - 50,51 and udp 500

hope its clear...

New Member

Re: How to allow port 50,51,500 for IPSec peering

Thanks all for the help. I was mistaken about the protocol number and the port number. The device I was talking about is 3700 and 3800 series routers. I need to establish IPSec between them.

Can someone give me an example of the ACL to allow the protocol numbers mentioned above? I've never used NAT-T, is there an example of using it?

Thanks a lot

Gary

Gold

Re: How to allow port 50,51,500 for IPSec peering

on 3800,

access-list 111 permit udp host <3700 public ip> host <3800 public ip> eq non500-isakmp

access-list 111 permit udp host <3700 public ip> host <3800 public ip> eq isakmp

access-list 111 permit esp host <3700 public ip> host <3800 public ip>

access-list 111 permit ip <3700 private subnet> <3700 private subnet mask> <3800 private subnet> <3800 private subnet mask>

for 3700, you just need to "mirror" the codes above. in fact, assuming the vpn is between two routers, and there is no nat device in front of the routers, then nat-t or udp 4500 is not required.

44431
Views
0
Helpful
5
Replies
CreatePlease login to create content