RE: IPSec Firewall

From: Tracy Blackmore (TracyB@xxxxxxxxx)
Date: Sun Nov 12 2000 - 02:37:17 GMT-3

   
Keep in mind that 50 and 51 are NOT ports. They are IP protocols just like
ICMP, IGMP, TCP, UDP, etc. They should have something like...

Access-list 101 permit 50 any host x.x.x.x
Access-list 101 permit 51 any host x.x.x.x
Access-list 101 permit udp any host x.x.x.x eq 500

(x.x.x.x = address of your VPN terminator)

The 50 and 51 above are your ESP and AH. You can use either the number or
the names.

Tracy W. Blackmore
T.S. Lad Consulting
1026 E Stanford Ave.
Gilbert, AZ., 85234
(480)558-0472

                -----Original Message-----
                From: Tony Olzak [mailto:aolzak@buckeye-express.com]
                Sent: Sunday, November 12, 2000 10:13 AM
                To: Tracy Blackmore; 'Chuck Larrieu'; Vijay Venkatesh
                Cc: ccielab@groupstudy.com
                Subject: Re: IPSec Firewall

                On a practice lab I am studying, the author has those three
ports and also
                the line:

                access-list 100 permit esp ....................

                If I have those three ports open, do I need this line too?

                Tony

                ----- Original Message -----
                From: "Tracy Blackmore" <TracyB@TSLAD.com>
                To: "'Chuck Larrieu'" <chuck@cl.cncdsl.com>; "Tony Olzak"
                <aolzak@buckeye-express.com>; "Vijay Venkatesh"
<vijay.venkatesh@usa.net>
                Cc: <ccielab@groupstudy.com>
                Sent: Saturday, November 11, 2000 8:19 PM
                Subject: RE: IPSec Firewall

> Where did you get that you need 1753? The only port that
you need on the
> firewall is UDP 500 for IKE. The other things that you
need is IP
                protocol
> code 50 and 51 for AH and ESP SA's. These three things
are all you need
                to
> allow IPSec tunnels.
>
> Tracy W. Blackmore
> T.S. Lad Consulting
> 1026 E Stanford Ave.
> Gilbert, AZ., 85234
> (480)558-0472
>
> -----Original Message-----
> From: Chuck Larrieu [mailto:chuck@cl.cncdsl.com]
> Sent: Saturday, November 11, 2000 5:26 PM
> To: Tony Olzak; Vijay Venkatesh
> Cc: ccielab@groupstudy.com
> Subject: RE: IPSec Firewall
>
> According to IANA
> http://www.isi.edu/in-notes/iana/assignments/port-numbers
)
>
> translogic-lm 1753/tcp Translogic License Manager
> translogic-lm 1753/udp Translogic License Manager
> # Stan Dallas stan@translogic.com
>
> 1753 is one of the so called "registered" ports, greater
> than 1023. There
> appears to be some question as to whether "registered"
means
> "can't be used
> by any other app ever" :->
>
> Chuck
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of Tony
> Olzak
> Sent: Friday, November 10, 2000 2:30 PM
> To: Vijay Venkatesh
> Cc: ccielab@groupstudy.com
> Subject: Re: IPSec Firewall
>
> Okay. I get all the other ports, but what is port 1753?
>
> Tony
>
> ----- Original Message -----
> From: "Vijay Venkatesh" <vijay.venkatesh@usa.net>
> To: "Tony Olzak" <aolzak@buckeye-express.com>
> Sent: Friday, November 10, 2000 12:47 PM
> Subject: Re: IPSec Firewall
>
>
> > 1753
> >
> > > Tony Olzak wrote:
> > >
> > > If I've got an IPSec VPN running between two routers,
> what ports do
> > > I need to keep open on a firewall (ACL)?
> > >
> > >
> > > Tony
> >
>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:44 GMT-3