Go Premium for a chance to win a PS4. Enter to Win


Protocols 50 and 51 with Linksys router

Posted on 2003-12-08
Medium Priority
Last Modified: 2016-10-12
Is a BEFSR11 linksys router capable of letting in Protocols 50 and 51?
I am under the understanding that Protocols and ports are 2 different things.
I would not set up port 50 and 51 to be forwarded. Am I correct?
I called linksys but the person I was talking to kept insisting they were port numbers.
I guess its to much to ask Linksys tech support to know there product.
Question by:pauls681
LVL 33

Expert Comment

ID: 9899137
To answer the difference between port and protocol

  Protocol - When data is being transmitted between two or more devices something needs to govern the controls that keep this data intact. A formal description of message formats and the rules two computers must follow to exchange those messages. Protocols can describe low-level details of machine-to-machine interfaces (e.g., the order in which hits and bytes are sent across wire) or high-level exchanges between application programs (e.g., the way in which two programs transfer a file across the Internet). [San Diego State University]

Ports are used by the TCPIP suite of protocols to establish a  basis and consensus on standard applications.   Such as DNS runs on TCP PORT 53,  

So, when you say you need 50 and 51 open, most likely its either UDP or TCP ports 50 and 51.   So the linksys tech guy was correct, sorry.  

The linksys routers can forward these ports to a static internal address.    Follow these instructions
Port forwarding is a method that allows you to run a server behind the router.  Port Forwarding opens a specific port to a computer behind the router, allowing all Incoming Traffic on that port to be sent directly to that server.  It should be used to setup servers behind the router.    
 Port Triggering (KB10934316) is a better choice for non-server applications (such as instant messengers and game servers).  
 Below is an example of how to setup Port Forwarding.  For our example, we will be setting an FTP Server and a Mail Server that uses SMTP and POP3.  
 FTP uses ports:  20 and 21  
 SMTP uses port: 25  
 POP3 uses port: 110  
 Getting Started  
 1.You must set a static IP address on the server.  If you are unsure of how to do this, please see Article KB10934010 for information on setting a static IP address in Windows.  
 2.Once the static IP address has been assigned to the server, open a web browser and type in the IP address of the router into the browser address bar ( is the default IP of Linksys routers).  
 3.When the username and password prompt appears, skip the username field and type admin for the password. Click OK or press the [Enter] key to load the router's "Setup" page.  If you have changed the password, use it to access the router's "Setup" page when this prompt appears.  
 Note:  If you have forgotten the IP address or the password of the router (if either was changed), you must reset the router to factory defaults by holding in the Reset button on the router for 30 seconds.  
 4.Click on the Advanced tab on the upper right corner.  Once the new page appears, click on the Forwarding tab.  
 5.You will need to input entries into the first three lines of this Forwarding table.  
 For example:  
Customized Applications
 Ext. Port
 IP Address  
FTP 20 to 21 Both CHECK
SMTP 25 to 25 Both CHECK
POP3 110 to 110 TCP CHECK
 Customized Applications:  A name you choose to name what the ports will be used for.
Ext. Port:  The external range of ports of the application that will be used.
Protocol:  The protocols that the application will use, TCP, UDP, or Both.  May be chosen with checkboxes or a drop-down menu depending on firmware version.
IP Address:  The static IP address of the server computer.  This IP address was set in Step 1.

 Good Luck

Author Comment

ID: 9899740
If protocol 50 and 51 are the same as ports then why dont they call them ports?????
It specifcally states open port xxx and protocols 50 and 51. If it means port then why call the protocols??  I know Protocols and ports are not the same.
I don't beleive your answer is correct.
 Does anyone else have any input or can verify the above explanation.
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 9900395
My 2 cents for what it's worth...

Generally speaking, you are correct that protocols do not equal ports. Example
GRE as a protocol has no concept of ports.
However, in this case, Protocol 50 and 51 are the well known port numbers assigned to the
Authentication header and Encapsulating Security Payload components of the IPSec protocol.
ESP =  50, AH = 51
In a cisco access-list I have the option of using "esp" or "tcp port 50", i.e.
access-list xyz permit esp host a.b.c.d host c.f.g.h
access-list xyz permit tcp host a.b.c.d eq 50 host c.f.g.h eq 50

The official iana port numbers listing has a different use for tcp/udp ports 50/51:
re-mail-ck       50/tcp    Remote Mail Checking Protocol
re-mail-ck       50/udp    Remote Mail Checking Protocol
la-maint         51/tcp    IMP Logical Address Maintenance
la-maint         51/udp    IMP Logical Address Maintenance

While the official iana protocol-number list is clear, yet even the RFC's are not clear on the ports used...
   50     ESP         Encap Security Payload for IPv6   [RFC2406]
    51     AH          Authentication Header for IPv6    [RFC2402]

Since the linksys doesn't have quite that much intelligence to recognize different protocols, they have given you the ability to enable/disable IPSEC and PPTP "passthrough", but that is generally for outbound. If you setup an inside host as a "dmz" host on the Linksys, then it will certainly pass IPSEC through to it. You can also enable port forwarding and forward Tcp port  50, and 51 to an internal host. However, AH does not work through NAT period anyway, so you'll be out of luck at that point anyway..

If you're using a VPN client with ISAKMP, you'll also need to forward UDP port 500 for ISAKMP..

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.


Author Comment

ID: 9900486
Ok, thanks for the response
So as it looks to me we should be able to make this work with the linksys.
That was a much better explanation than I got from the Linksys folks.

Author Comment

ID: 9903889
One more question on DMZ Host.
Isn't it risky to set up a DMZ host?
LVL 79

Expert Comment

ID: 9904044
Of course it is risky. Make sure you have at least a good host-based software firewall on it...

Author Comment

ID: 9904085
So if I need to set up a DMZ host I should look into a software firewall for that system.
Actually if we have to set up a DMZ host to make this work we will most likely be looking for
a better router/firewall.
LVL 79

Expert Comment

ID: 9904111
I would prefer getting a better router/firewall. One that will terminate the VPN on itself so that you don't have to open up an inside host...
LVL 79

Expert Comment

ID: 9904120
instead of a router (I'm assuming broadband connection), you might look at something like the PIX 501 firewall...

Author Comment

ID: 9904127
That is what I am going to recomend.
Thanks for your help.

Expert Comment

by:T P
ID: 41839866
I need to have a Windows 2012 server behind a router's LAN. I want to connect remote devices via IPSec/L2TP PSK to the win2012server.

Anyone know which router has built in IP Protocol 50 and 51 for this purpose? I tried a netgear, a Cisco RV180W, same stupid error 'encountered an error on security layer of negotiation' - sort of filtering or unable to process key exchange. On CISCO I enabled the IKE and passthrough, but that's as client outbound from LAN not the other way around, to a server inside LAN.

Any tip on which router can do it, within a reasonable price range for a small office ( not say Cisco 1941W)...appreciate any help.


Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question