«

Hi All
I have a very simple outbound ACL on a Pix 501:

access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0)
access-list in-out line 2 permit tcp any any eq www (hitcnt=130)
access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0)
access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3)
access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11)
access-list in-out line 8 permit tcp any any eq https (hitcnt=
access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

I am trying to create an ipsec tunnel through 501 to another PIX with a
cisco client. The log shows that phase 1 (IKE) is completing
successfully, but the connection fails after that. If I remove the ACL
from the inside interface (no access-group in-out in interface inside)
the client connects immediately.

I know I am probably missing something obvious here, but any help would
really be appreciated.

Thanks.

In article < .com>,
xman <> wrote:
:I have a very simple outbound ACL on a Pix 501:

:access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0)
:access-list in-out line 2 permit tcp any any eq www (hitcnt=130)
:access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0)
:access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3)
:access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
:access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
:access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11)
:access-list in-out line 8 permit tcp any any eq https (hitcnt=
:access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

:I am trying to create an ipsec tunnel through 501 to another PIX with a
:cisco client. The log shows that phase 1 (IKE) is completing
:successfully, but the connection fails after that. If I remove the ACL
:from the inside interface (no access-group in-out in interface inside)
:the client connects immediately.

Make sure that nat-traversal is turned on on the remote pix
(isakmp nat-traversal 20), and open outbound port udp 4500.
--
Would you buy a used bit from this man??

Thank you very much. UDP 4500 did the trick.

xman <> wrote:

> I have a very simple outbound ACL on a Pix 501:
>
> access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
> access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
>
> I am trying to create an ipsec tunnel through 501 to another PIX with a
> cisco client. The log shows that phase 1 (IKE) is completing
> successfully, but the connection fails after that. If I remove the ACL
> from the inside interface (no access-group in-out in interface inside)
> the client connects immediately.
>
> I know I am probably missing something obvious here, but any help would
> really be appreciated.

I see you have had one answer suggested already but I suspect those two
ACL lines above are not what you intended (i.e. opening ports for Remote
Mail Checking Protocol & IMP Logical Address Maintenance). I would
think you want to allow ESP & AH traffic to pass, you need to allow
*protocols* 50 & 51 through NOT TCP *ports*. I think you probably
intended something closer to the following:

access-list in-out line 5 permit ah any any
access-list in-out line 6 permit esp any any
--
-> The email address used in this message *IS* valid <-

In article <1gwmk2r.ugl2szt8jje7N%{$PW$}@womar.co.uk>,
Paul Womar <{$PW$}@womar.co.uk> wrote:
man <> wrote:
:> access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
:> access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)

:I see you have had one answer suggested already but I suspect those two
:ACL lines above are not what you intended (i.e. opening ports for Remote
:Mail Checking Protocol & IMP Logical Address Maintenance).

I missed that in my answer, partly because I know that ESP and AH
show up by name instead of by number, so I didn't "see" the 50 and 51.

: I would
:think you want to allow ESP & AH traffic to pass, you need to allow
:*protocols* 50 & 51 through NOT TCP *ports*. I think you probably
:intended something closer to the following:

:access-list in-out line 5 permit ah any any
:access-list in-out line 6 permit esp any any

Those aren't needed. The structure of the ACLs suggests strongly
that the OP is doing PAT, NAT at the very least. AH can't be
NAT'd, and ESP can't be PAT'd, so if AH or ESP were the issue then
probably the connection wouldn't have worked even without the
inside ACL. ESP will work with static NAT, but if the problem were
with ESP not getting through static NAT then the OP would have needed
to have opened ESP from the outside to the inside, and in doing so
would have noticed that it was a protocol rather than a port.


When you have nat-traversal active in a PAT situation, you need
UDP 500 and UDP 4500, and everything else is handled dynamically.

--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey