How to permit or deny IP protocol 50 or 51?
Access-list 100-199?
Thanks in advance.
Jim
--- Kent Hundley wrote:
> Andy,
>
> For future reference, when in doubt its always best
> to go to the source, i.e
> the RFC's. You can get a complete reference of the
> RFC's at:
>
> http://www.rfc.net
>
> Having said this, in general for IPSec to work
> you'll need to allow ISAKMP,
> which uses UDP port 500. This is _usually_ both the
> source and destination
> port, but not always. Some VPN clients use a random
> UDP source port, so
> you'll have to allow for that unless you know for a
> fact that your VPN
> clients don't have this behavior.
>
> If you use ESP only (which is common), you just need
> to also allow IP
> protocol number 50. If you use AH, you need to also
> allow IP protocol 51.
> (_not_ TCP/UDP port numbers, IP protocol numbers)
> These will be both the
> source and destination IP protocols.
>
> HTH,
> Kent
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Andy
> Sent: Friday, August 17, 2001 6:39 AM
> To: [EMAIL PROTECTED]
> Subject: Access list to allow IPSEC traffic through?
> [7:16367]
>
>
> Hi
>
> Does anyone know the correct requirements to allow
> IPSEC traffic through an
> access list on a perimeter router? Everything works
> OK without the access
> list in place.
>
> I know it's something to do with allowing the
> correct port numbers/protocols
> through, etc... but can't seem to find any more
> info.
>
> Any help greatly appreciated.
>
>
> Andy
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16431&t=16367
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
