Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
111024
Views
13
Helpful
5
Replies

How to allow port 50,51,500 for IPSec peering

gwhuang5398
Level 2
Level 2

‎03-16-2006 01:55 PM - edited ‎02-21-2020 02:19 PM

How to create access list to allow the 3 ports through an interface where IPSec functions?

If I don't specify an access list, are the 3 ports denied by default on the interface? I have seen some IPSec configs with no access list for the 3 ports.

Thanks

Gary

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎03-16-2006 06:39 PM

just wondering what sort of device you are referring to.

with pix, there is no need; whereas with router, the inbound acl needs to be configured in permitting udp 500, udp 4500, and (potentially) esp.

further, the remote subnet is also needed to be part of the inbound acl.

0 Helpful

gglynn
Level 1
Level 1

‎03-16-2006 07:47 PM

The 50 and 51 you're referring to aren't TCP or UDP ports, they're the IP protocol numbers for ESP and AH, respectively. ESP and AH are layer 4 protocols, on the same level as TCP (IP proto 6) and UDP (IP proto 17). At any rate, you don't have to allow them into the external (i.e. client-facing) interface on a PIX/ASA/router with an access list, you just have to enable IKE (ISAKMP) on the interface. If you have something in front of the external interface filtering traffic, you'll have to make sure that IPSec traffic is permitted through that device, however (e.g. a PIX in front of a VPN concentrator where the concentrator is the VPN server for remote clients). However, if NAT is happening anywhere in between the client and the server, you should be using IPSec NAT Traversal (NAT-T), and you don't have to permit IP proto 50 (and/or 51), you just have to permit UDP/500 (IKE) and UDP/4500 (NAT-T) to the VPN server.

navnit
Level 1
Level 1
In response to gglynn

‎03-17-2006 05:46 AM

Just to add,

If it is two way IPSec VPN tunnel then access require on both direction whether its router/pix/asa with

Protocol - 50,51 and udp 500

hope its clear...

0 Helpful

gwhuang5398
Level 2
Level 2
In response to navnit

‎03-17-2006 07:23 AM

Thanks all for the help. I was mistaken about the protocol number and the port number. The device I was talking about is 3700 and 3800 series routers. I need to establish IPSec between them.

Can someone give me an example of the ACL to allow the protocol numbers mentioned above? I've never used NAT-T, is there an example of using it?

Thanks a lot

Gary

jackko
Level 7
Level 7
In response to gwhuang5398

‎03-17-2006 08:06 AM

on 3800,

access-list 111 permit udp host <3700 public ip> host <3800 public ip> eq non500-isakmp

access-list 111 permit udp host <3700 public ip> host <3800 public ip> eq isakmp

access-list 111 permit esp host <3700 public ip> host <3800 public ip>

access-list 111 permit ip <3700 private subnet> <3700 private subnet mask> <3800 private subnet> <3800 private subnet mask>

for 3700, you just need to "mirror" the codes above. in fact, assuming the vpn is between two routers, and there is no nat device in front of the routers, then nat-t or udp 4500 is not required.

Customers Also Viewed These Support Documents