Andy,
For future reference, when in doubt its always best to go to the source, i.e
the RFC's. You can get a complete reference of the RFC's at:
http://www.rfc.net
Having said this, in general for IPSec to work you'll need to allow ISAKMP,
which uses UDP port 500. This is _usually_ both the source and destination
port, but not always. Some VPN clients use a random UDP source port, so
you'll have to allow for that unless you know for a fact that your VPN
clients don't have this behavior.
If you use ESP only (which is common), you just need to also allow IP
protocol number 50. If you use AH, you need to also allow IP protocol 51.
(_not_ TCP/UDP port numbers, IP protocol numbers) These will be both the
source and destination IP protocols.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Andy
Sent: Friday, August 17, 2001 6:39 AM
To: [EMAIL PROTECTED]
Subject: Access list to allow IPSEC traffic through? [7:16367]
Hi
Does anyone know the correct requirements to allow IPSEC traffic through an
access list on a perimeter router? Everything works OK without the access
list in place.
I know it's something to do with allowing the correct port numbers/protocols
through, etc... but can't seem to find any more info.
Any help greatly appreciated.
Andy
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16380&t=16367
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
