From: Larry Roberts (groupstudy@american-hero.com)
Date: Thu Jul 27 2006 - 10:52:59 ART
UDP 500 is for isakmp
UDP 4500 is for NAT-T or NAT transparency.
If your device behind the FW that is terminating the tunnels needs to
support NAT-T then yes you do need to permit it, but its not part of
ISAKMP, but rather part of the actual data transfer (ESP)
Now, if your not doing NAT on the FW then you need to permit UDP 500 for
isakmp and also ESP for the data transfer.
Hussein Ghazy wrote:
> Hi,
>
>
> I want to allow ISAKMP traffic through the PIX firewall from the outside
> interface.
>
> DO I need to create 2 udp access-list on the outside interface one for
> equal isakmp and the second for equal 4500
>
> Thanks
> ********************************************DISCLAIMER********************************************
> This email and any files transmitted with it are confidential and contain privileged or copyright
> information. If you are not the intended recipient you must not copy, distribute or use this email
> or the information contained in it for any purpose other than to notify us of the receipt thereof.
> If you have received this message in error, please notify the sender immediately, and delete this
> email from your system.
>
> Please note that e-mails are susceptible to change.The sender shall not be liable for the improper
> or incomplete transmission of the information contained in this communication,nor for any delay in
> its receipt or damage to your system.The sender does not guarantee that this material is free from
> viruses or any other defects although due care has been taken to minimise the risk.
> **************************************************************************************************
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART