ESP and AH



  • I am working to setup a VPN from our facility to one of our machines at a customers plant.  We are going using a NS-50 (our facility) –-> cisco router (mapped to internal address) ---->NS-5GT (attached to the machine at the plant).  Currently they have allowed all traffic to pass through to the netscreen but their network guy is screaming that there is a hugh security hole in their network because of this.  What ports need to be allowed to pass ipsec, esp, and ah protocols.  I am guessing that i would only need to have udp 500 in order for the connection to be made.  Are there any other ports needed or are their specific ports needed for ipsec, esp, and ah ip protocols?  I am new to the networking world so any help would be great.



  • @preatorian:

    I understand that protocols are not port numbers, but when i tell that to the other network admin he has no idea what i am talking about.  Is there different jargon used for cisco people?

    Being both a cisco person and someone that understands this, you might try this approach:

    When applying extended access lists, you can specify the protocol within IP.  Most commonly known ones are TCP/IP and UDP/IP, whose IP protocol numbers are 6 and 17 respectively.  Other protocols exist, such as ICMP/IP (1), GRE/IP (47), EIGRP/IP (88), ESP/IP (50) and AH/IP (51).  So, on your extended access list, put “permit <protocol number=”">" instead of permit tcp or permit udp.

    A great start would be to begin your ACL with:
    access-list 155 permit 50 any any
    access-list 155 permit 51 any any

    The assigned list can be found here.</protocol>



  • configure the router ACL to bypass these IANA protocol Number Assigments



  • I understand that protocols are not port numbers, but when i tell that to the other network admin he has no idea what i am talking about.  Is there different jargon used for cisco people?



  • UDP 500 definitely.  Also need to allow IP protocol 50 (ESP) and/or 51 (AH).  May also need UDP 4500 if using nat-t v2.

    Note that IP protocol does not mean TCP/UDP port 50/51.  It is IP protocol 50/51.


 

31
Online

38.4k
Users

12.7k
Topics

44.5k
Posts