Protocols 50 and 51 with Linksys router

Is a BEFSR11 linksys router capable of letting in Protocols 50 and 51?
I am under the understanding that Protocols and ports are 2 different things.
I would not set up port 50 and 51 to be forwarded. Am I correct?
I called linksys but the person I was talking to kept insisting they were port numbers.
I guess its to much to ask Linksys tech support to know there product.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To answer the difference between port and protocol

  Protocol - When data is being transmitted between two or more devices something needs to govern the controls that keep this data intact. A formal description of message formats and the rules two computers must follow to exchange those messages. Protocols can describe low-level details of machine-to-machine interfaces (e.g., the order in which hits and bytes are sent across wire) or high-level exchanges between application programs (e.g., the way in which two programs transfer a file across the Internet). [San Diego State University]

Ports are used by the TCPIP suite of protocols to establish a  basis and consensus on standard applications.   Such as DNS runs on TCP PORT 53,  

So, when you say you need 50 and 51 open, most likely its either UDP or TCP ports 50 and 51.   So the linksys tech guy was correct, sorry.  

The linksys routers can forward these ports to a static internal address.    Follow these instructions
Port forwarding is a method that allows you to run a server behind the router.  Port Forwarding opens a specific port to a computer behind the router, allowing all Incoming Traffic on that port to be sent directly to that server.  It should be used to setup servers behind the router.    
 Port Triggering (KB10934316) is a better choice for non-server applications (such as instant messengers and game servers).  
 Below is an example of how to setup Port Forwarding.  For our example, we will be setting an FTP Server and a Mail Server that uses SMTP and POP3.  
 FTP uses ports:  20 and 21  
 SMTP uses port: 25  
 POP3 uses port: 110  
 Getting Started  
 1.You must set a static IP address on the server.  If you are unsure of how to do this, please see Article KB10934010 for information on setting a static IP address in Windows.  
 2.Once the static IP address has been assigned to the server, open a web browser and type in the IP address of the router into the browser address bar ( is the default IP of Linksys routers).  
 3.When the username and password prompt appears, skip the username field and type admin for the password. Click OK or press the [Enter] key to load the router's "Setup" page.  If you have changed the password, use it to access the router's "Setup" page when this prompt appears.  
 Note:  If you have forgotten the IP address or the password of the router (if either was changed), you must reset the router to factory defaults by holding in the Reset button on the router for 30 seconds.  
 4.Click on the Advanced tab on the upper right corner.  Once the new page appears, click on the Forwarding tab.  
 5.You will need to input entries into the first three lines of this Forwarding table.  
 For example:  
Customized Applications
 Ext. Port
 IP Address  
FTP 20 to 21 Both CHECK
SMTP 25 to 25 Both CHECK
POP3 110 to 110 TCP CHECK
 Customized Applications:  A name you choose to name what the ports will be used for.
Ext. Port:  The external range of ports of the application that will be used.
Protocol:  The protocols that the application will use, TCP, UDP, or Both.  May be chosen with checkboxes or a drop-down menu depending on firmware version.
IP Address:  The static IP address of the server computer.  This IP address was set in Step 1.

 Good Luck
pauls681Author Commented:
If protocol 50 and 51 are the same as ports then why dont they call them ports?????
It specifcally states open port xxx and protocols 50 and 51. If it means port then why call the protocols??  I know Protocols and ports are not the same.
I don't beleive your answer is correct.
 Does anyone else have any input or can verify the above explanation.
My 2 cents for what it's worth...

Generally speaking, you are correct that protocols do not equal ports. Example
GRE as a protocol has no concept of ports.
However, in this case, Protocol 50 and 51 are the well known port numbers assigned to the
Authentication header and Encapsulating Security Payload components of the IPSec protocol.
ESP =  50, AH = 51
In a cisco access-list I have the option of using "esp" or "tcp port 50", i.e.
access-list xyz permit esp host a.b.c.d host c.f.g.h
access-list xyz permit tcp host a.b.c.d eq 50 host c.f.g.h eq 50

The official iana port numbers listing has a different use for tcp/udp ports 50/51:
re-mail-ck       50/tcp    Remote Mail Checking Protocol
re-mail-ck       50/udp    Remote Mail Checking Protocol
la-maint         51/tcp    IMP Logical Address Maintenance
la-maint         51/udp    IMP Logical Address Maintenance

While the official iana protocol-number list is clear, yet even the RFC's are not clear on the ports used...
   50     ESP         Encap Security Payload for IPv6   [RFC2406]
    51     AH          Authentication Header for IPv6    [RFC2402]

Since the linksys doesn't have quite that much intelligence to recognize different protocols, they have given you the ability to enable/disable IPSEC and PPTP "passthrough", but that is generally for outbound. If you setup an inside host as a "dmz" host on the Linksys, then it will certainly pass IPSEC through to it. You can also enable port forwarding and forward Tcp port  50, and 51 to an internal host. However, AH does not work through NAT period anyway, so you'll be out of luck at that point anyway..

If you're using a VPN client with ISAKMP, you'll also need to forward UDP port 500 for ISAKMP..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

pauls681Author Commented:
Ok, thanks for the response
So as it looks to me we should be able to make this work with the linksys.
That was a much better explanation than I got from the Linksys folks.
pauls681Author Commented:
One more question on DMZ Host.
Isn't it risky to set up a DMZ host?
Of course it is risky. Make sure you have at least a good host-based software firewall on it...
pauls681Author Commented:
So if I need to set up a DMZ host I should look into a software firewall for that system.
Actually if we have to set up a DMZ host to make this work we will most likely be looking for
a better router/firewall.
I would prefer getting a better router/firewall. One that will terminate the VPN on itself so that you don't have to open up an inside host...
instead of a router (I'm assuming broadband connection), you might look at something like the PIX 501 firewall...
pauls681Author Commented:
That is what I am going to recomend.
Thanks for your help.
T PCommented:
I need to have a Windows 2012 server behind a router's LAN. I want to connect remote devices via IPSec/L2TP PSK to the win2012server.

Anyone know which router has built in IP Protocol 50 and 51 for this purpose? I tried a netgear, a Cisco RV180W, same stupid error 'encountered an error on security layer of negotiation' - sort of filtering or unable to process key exchange. On CISCO I enabled the IKE and passthrough, but that's as client outbound from LAN not the other way around, to a server inside LAN.

Any tip on which router can do it, within a reasonable price range for a small office ( not say Cisco 1941W)...appreciate any help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.