• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1186
  • Last Modified:

UDP 500 in both directions and protocols 50 and 51

I need to allow UDP port 500 in both directions in my firewall as well as protocols 50 and 51.  Below is my current configuration.  What do I need to add or change?  Port 500 is changed to isakmp when I add it to the access list.

interface FastEthernet0/0                        
 ip address 66.xxx.xxx.xxx 255.255.255.0                                      
 ip access-group 101 in                      
 ip nat out        
 speed 10        
 half-duplex            
 no cdp enable              
!
interface FastEthernet0/1                        
 description connected to EthernetLAN                                    
 ip address 192.168.1.254 255.255.255.0                                        
 ip nat inside              
 speed auto          
 full-duplex            
 no cdp enable              
!
ip nat inside source list 1 interface FastEthernet0/0 overload                                                              
ip nat inside source static 192.168.1.1 66.xxx.xxx.xxx                                                      
ip nat inside source static 192.168.1.4 66.xxx.xxx.xxx                                                      
ip nat inside source static 192.168.1.3 66.xxx.xxx.xxx                                                    
ip nat inside source static 192.168.1.2 66.xxx.xxx.xxx                                                    
ip classless            
ip route 0.0.0.0 0.0.0.                      
no ip http server                
!
                                                       
access-list 1 permit 192.168.1.0 0.0.0.255                                          
access-list 101 permit tcp any eq www any                                        
access-list 101 permit tcp any any eq www                                        
access-list 101 permit tcp any any eq ftp                                        
access-list 101 permit tcp any eq ftp any                                        
access-list 101 permit tcp any any eq smtp                                          
access-list 101 permit tcp any eq smtp                      
access-list 101 permit tcp any any eq 50                                        
access-list 101 permit tcp any eq 50 any                                        
access-list 101 permit tcp any any eq 51                                        
access-list 101 permit tcp any eq 51 any                                        
access-list 101 permit tcp any any eq 2010                                          
access-list 101 permit tcp any eq 2010 any                                          
access-list 101 permit udp any any eq 50                                        
access-list 101 permit udp any eq 50 any                                        
access-list 101 permit udp any any eq 51                                        
access-list 101 permit udp any eq 51 any                                        
access-list 101 permit udp any any eq isakmp                                            
access-list 101 permit udp any eq isakmp any                                            
access-list 101 permit tcp any any eq ftp-data                                              
access-list 101 permit tcp any eq ftp-data any                                              
access-list 101 permit tcp any any eq 5190                                          
access-list 101 permit tcp any eq 5190 any                                          
access-list 101 permit tcp any any eq 1863                                          
access-list 101 permit tcp any eq 1863 any                                          
access-list 101 permit tcp any any eq 4190                                          
access-list 101 permit tcp any eq 4190 any                                          
access-list 101 permit tcp any any eq 7000                                          
access-list 101 permit tcp any eq 7000 any                                          
access-list 101 permit tcp any any eq 143                                        
access-list 101 permit tcp any eq 143 any                                        
access-list 101 permit tcp any any eq 5050                                          
access-list 101 permit tcp any eq 5050 any                                          
access-list 101 permit tcp any any eq 4661                                          
access-list 101 permit tcp any eq 4661 any                                          
access-list 101 permit esp any any                                  
access-list 101 permit ahp any any                                  
access-list 101 permit tcp any any eq 32656
access-list 101 permit tcp any eq 32656 any
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any eq 3389 any
access-list 101 permit tcp any any eq 3265
access-list 101 permit udp any any eq 3389
access-list 101 permit udp any eq 3389 any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any eq 443 any

Thank You for your help
0
kamilw
Asked:
kamilw
  • 3
  • 3
  • 3
1 Solution
 
lrmooreCommented:
>Port 500 is changed to isakmp when I add it to the access list.
Yes, UDP 500 = ISAKMP

You have already added protocols 50 and 51
access-list 101 permit esp any any   <= 50
access-list 101 permit ahp any any   <= 51
                       
0
 
lrmooreCommented:
One thing I don't see that might help you:
Add this near the top of the acl:
    access-list 101 permit tcp any any established
0
 
kamilwAuthor Commented:
It looks right to me also, however it's not connecting.  From looking at my config, are you certain that I'm allowing UDP 500 both in and out?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
lrmooreCommented:
Your access-list is restricting/permitting inbound
You have no access-list applied to the inside interface or outbound anywhere, so all traffic is permitted out.

Just for information, AHP does not support NAT so if your application requires it, and you are using static nat entries, AHP will break.
0
 
Tim HolmanCommented:
Can the VPN servers on either side of this PIX ping each other, or are we talking about a VPN server on one side of the world talking to a VPN server with a private IP behind this PIX ?
In the latter case, you WILL need static NAT so that both of these VPN servers have public, routable IP addresses.
What are you trying to get working here ?
You need protocol 50, 51, UDP 500 (isakmp), plus maybe UDP 4500 for NAT-T and UDP 10000 for clients ??
0
 
kamilwAuthor Commented:
I'm pretty new at this, but I did find more into that says that AHP doesnt' work with NAT.  What can I replace NAT with?  I have about 35 computers behind this firewall, all with private IP addresses.  The boxes that NAT is used for are web servers and need to be accessed by the world.
0
 
Tim HolmanCommented:
Take a step back...
What exactly are you trying to do here ??  Have you a VPN server and VPN clients ??
0
 
kamilwAuthor Commented:
I's supposed to create a connection between my web server to lookup up shipping status and update my SQL tables.  

Supposedly this is very easy.  I was told that all I need is to open port 2010, UDP 500 in both directions and protocol 50 and 51.  I was also given an ipsec policy to assign.  Before I even create a file which will open the connection and update my tables with received data, I was told to test the connection using telnet on port 2010.  I can't connect.  You stated above that this is because AHP and NAT.   How can I set up the perticular IP that i'm connection from without NAT?
0
 
Tim HolmanCommented:
To allow these ports in both directions, you need to apply your access list in both directions:

access-list 102 permit udp any external_web_server_ip eq isakmp  
access-list 102 permit tcp any external_web_server_ip eq 2010
access-list 102 permit esp any external_web_server_ip
access-list 102 permit ahp any external_web_server_ip

Then use access-group to apply:

access-group 102 in interface outside
access-group 102 in interface inside

But with any VPN connection, both ends will need to see each other.  Both ends need PUBLIC IP addresses, whether this be real public address, or hidden behind NAT.

So we need to setup NAT:

static (inside,outside) external_web_server_ip internal_web_server_ip netmask 255.255.255.255 0 0

Tell whomever told you to open all these ports up that your web server doesn't have a public IP, if this is indeed the case ?  They should understand this as it's a basic networking concept !
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now