Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

allowing IP port 50 (ESP)?

Status
Not open for further replies.
cahelmster

cahelmster

MIS
Jan 15, 2002
126
0
0
I need to allow IP port 50 for ESP to my PIX-515 for a VPN connection. I'm familiar with adding IP hosts but not IP ports...only TCP or UDP ports. What access list command should I use?



----------------
Thanks!
cahelmster [lookaround]
 
Sort by date Sort by votes
ESP is a protocol. You'll also want to allow 51 (AH) and TCP port 500.

"sysopt connection permit-ipsec" takes care of it for you.
 
Upvote 0 Downvote
ok...sounds easy enough...

This is a separate VPN device behind my firewall that will be configured to establish a VPN connection over the Internet to another site. So the sysopt command will take care of everything and is also for outbound only?

Will I also need NAT statements if the device is using a new public IP?

----------------
Thanks!
cahelmster [lookaround]
 
Upvote 0 Downvote
This is a separate VPN device behind my firewall that will be configured to establish a VPN connection over the Internet to another site. So the sysopt command will take care of everything and is also for outbound only?"

No not really, ESP is not stateful per-say. You will need to add permit statements to the outside PIX interface.
If I am not mistaken, 'sysopt connection permit-ipsec' just allows all decrypted traffic in. Since the VPN connection is not terminating on the firewall itself you will need to allow the needed VPN Tunnel traffic to pass-through the PIX.


access-list ACL_Outside permit udp host $REMOTE_ENDPOINT_IP host $LOCAL_ENDPOINT_IP eq 500
access-list ACL_Outside permit esp host $REMOTE_ENDPOINT_IP host $LOCAL_ENDPOINT_IP
access-list ACL_Outside permit udp host $REMOTE_ENDPOINT_IP host $LOCAL_ENDPOINT_IP eq 4500

access-group ACL_Outside in interface outside

You may need udp/4500 for NAT-Transparency (ESP wrapped in UDP) since you have a NAT device in between.


"Will I also need NAT statements if the device is using a new public IP?"

Yup
static (inside, outside) $New_Public_IP $Inside_IP
 
Upvote 0 Downvote
cool...thanks

are there ports to ESP to narrow down the access-list statement? I'm not used to really anything but IP...

----------------
Thanks!
cahelmster [lookaround]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
116
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
136
Johnkite
Johnkite
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
48
gbayi_omo
gbayi_omo
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
60
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top