I don't know about the DMVPN, or what it even is, but for a "standard" IPsec VPN the ports would be UDP 500, and PROTOCOLS 50 and 51. Now, that is assuming that there is no NAT going on, and you are using tunnel mode, so that you don't see the GRE tunnel in the first header. If there is NAT, then you need to know what type of NAT you are using. If you are using standard NAT-T translation, then the port number would be UDP 4500, and you would not need PROTOCOL 50 or 51 (I think). You would still need UDP 500 which is IKE and is used to setup the IPsec tunnel and negotiate NAT translation, etc.
Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -----Original Message----- From: mccloud mike [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 4:18 PM To: [EMAIL PROTECTED] Subject: RE: ACL for DMVPN [7:74028] looks like tcp 47, 50 and udp 500 http://www.cisco.com/en/US/customer/products/hw/routers/ps4081/products_tech _note09186a0080094267.shtml Mike Thomas N wrote: > > I got a lab setup simulating DMVPN with IPSec over GRE. I > would like to > apply an access control list to the outside interface of the > routers to > block everything, except for TCP/UPD ports that are needed for > GRE, IPSec, > IKE and those related to DMVPN implementation. Does someone > know what ports > should I open on the ACL? Thanks! > > Thomas **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74087&t=74028 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
