Solved

UDP 500 in both directions and protocols 50 and 51

Posted on 2004-04-28
9
1,112 Views
Last Modified: 2007-09-14
I need to allow UDP port 500 in both directions in my firewall as well as protocols 50 and 51.  Below is my current configuration.  What do I need to add or change?  Port 500 is changed to isakmp when I add it to the access list.

interface FastEthernet0/0                        
 ip address 66.xxx.xxx.xxx 255.255.255.0                                      
 ip access-group 101 in                      
 ip nat out        
 speed 10        
 half-duplex            
 no cdp enable              
!
interface FastEthernet0/1                        
 description connected to EthernetLAN                                    
 ip address 192.168.1.254 255.255.255.0                                        
 ip nat inside              
 speed auto          
 full-duplex            
 no cdp enable              
!
ip nat inside source list 1 interface FastEthernet0/0 overload                                                              
ip nat inside source static 192.168.1.1 66.xxx.xxx.xxx                                                      
ip nat inside source static 192.168.1.4 66.xxx.xxx.xxx                                                      
ip nat inside source static 192.168.1.3 66.xxx.xxx.xxx                                                    
ip nat inside source static 192.168.1.2 66.xxx.xxx.xxx                                                    
ip classless            
ip route 0.0.0.0 0.0.0.                      
no ip http server                
!
                                                       
access-list 1 permit 192.168.1.0 0.0.0.255                                          
access-list 101 permit tcp any eq www any                                        
access-list 101 permit tcp any any eq www                                        
access-list 101 permit tcp any any eq ftp                                        
access-list 101 permit tcp any eq ftp any                                        
access-list 101 permit tcp any any eq smtp                                          
access-list 101 permit tcp any eq smtp                      
access-list 101 permit tcp any any eq 50                                        
access-list 101 permit tcp any eq 50 any                                        
access-list 101 permit tcp any any eq 51                                        
access-list 101 permit tcp any eq 51 any                                        
access-list 101 permit tcp any any eq 2010                                          
access-list 101 permit tcp any eq 2010 any                                          
access-list 101 permit udp any any eq 50                                        
access-list 101 permit udp any eq 50 any                                        
access-list 101 permit udp any any eq 51                                        
access-list 101 permit udp any eq 51 any                                        
access-list 101 permit udp any any eq isakmp                                            
access-list 101 permit udp any eq isakmp any                                            
access-list 101 permit tcp any any eq ftp-data                                              
access-list 101 permit tcp any eq ftp-data any                                              
access-list 101 permit tcp any any eq 5190                                          
access-list 101 permit tcp any eq 5190 any                                          
access-list 101 permit tcp any any eq 1863                                          
access-list 101 permit tcp any eq 1863 any                                          
access-list 101 permit tcp any any eq 4190                                          
access-list 101 permit tcp any eq 4190 any                                          
access-list 101 permit tcp any any eq 7000                                          
access-list 101 permit tcp any eq 7000 any                                          
access-list 101 permit tcp any any eq 143                                        
access-list 101 permit tcp any eq 143 any                                        
access-list 101 permit tcp any any eq 5050                                          
access-list 101 permit tcp any eq 5050 any                                          
access-list 101 permit tcp any any eq 4661                                          
access-list 101 permit tcp any eq 4661 any                                          
access-list 101 permit esp any any                                  
access-list 101 permit ahp any any                                  
access-list 101 permit tcp any any eq 32656
access-list 101 permit tcp any eq 32656 any
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any eq 3389 any
access-list 101 permit tcp any any eq 3265
access-list 101 permit udp any any eq 3389
access-list 101 permit udp any eq 3389 any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any eq 443 any

Thank You for your help
0
Comment
Question by:kamilw
  • 3
  • 3
  • 3
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10943294
>Port 500 is changed to isakmp when I add it to the access list.
Yes, UDP 500 = ISAKMP

You have already added protocols 50 and 51
access-list 101 permit esp any any   <= 50
access-list 101 permit ahp any any   <= 51
                       
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10943316
One thing I don't see that might help you:
Add this near the top of the acl:
    access-list 101 permit tcp any any established
0
 

Author Comment

by:kamilw
ID: 10943391
It looks right to me also, however it's not connecting.  From looking at my config, are you certain that I'm allowing UDP 500 both in and out?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10943701
Your access-list is restricting/permitting inbound
You have no access-list applied to the inside interface or outbound anywhere, so all traffic is permitted out.

Just for information, AHP does not support NAT so if your application requires it, and you are using static nat entries, AHP will break.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10948239
Can the VPN servers on either side of this PIX ping each other, or are we talking about a VPN server on one side of the world talking to a VPN server with a private IP behind this PIX ?
In the latter case, you WILL need static NAT so that both of these VPN servers have public, routable IP addresses.
What are you trying to get working here ?
You need protocol 50, 51, UDP 500 (isakmp), plus maybe UDP 4500 for NAT-T and UDP 10000 for clients ??
0
 

Author Comment

by:kamilw
ID: 10950559
I'm pretty new at this, but I did find more into that says that AHP doesnt' work with NAT.  What can I replace NAT with?  I have about 35 computers behind this firewall, all with private IP addresses.  The boxes that NAT is used for are web servers and need to be accessed by the world.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10950832
Take a step back...
What exactly are you trying to do here ??  Have you a VPN server and VPN clients ??
0
 

Author Comment

by:kamilw
ID: 10951179
I's supposed to create a connection between my web server to lookup up shipping status and update my SQL tables.  

Supposedly this is very easy.  I was told that all I need is to open port 2010, UDP 500 in both directions and protocol 50 and 51.  I was also given an ipsec policy to assign.  Before I even create a file which will open the connection and update my tables with received data, I was told to test the connection using telnet on port 2010.  I can't connect.  You stated above that this is because AHP and NAT.   How can I set up the perticular IP that i'm connection from without NAT?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10966764
To allow these ports in both directions, you need to apply your access list in both directions:

access-list 102 permit udp any external_web_server_ip eq isakmp  
access-list 102 permit tcp any external_web_server_ip eq 2010
access-list 102 permit esp any external_web_server_ip
access-list 102 permit ahp any external_web_server_ip

Then use access-group to apply:

access-group 102 in interface outside
access-group 102 in interface inside

But with any VPN connection, both ends will need to see each other.  Both ends need PUBLIC IP addresses, whether this be real public address, or hidden behind NAT.

So we need to setup NAT:

static (inside,outside) external_web_server_ip internal_web_server_ip netmask 255.255.255.255 0 0

Tell whomever told you to open all these ports up that your web server doesn't have a public IP, if this is indeed the case ?  They should understand this as it's a basic networking concept !
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now