IPSEC tunnel through outbound ACL on PIX 501

Discussion in 'Cisco' started by xman, May 15, 2005.

  1. xman

    xman Guest

    Hi All
    I have a very simple outbound ACL on a Pix 501:

    access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0)
    access-list in-out line 2 permit tcp any any eq www (hitcnt=130)
    access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0)
    access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3)
    access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
    access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
    access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11)
    access-list in-out line 8 permit tcp any any eq https (hitcnt=8)
    access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

    I am trying to create an ipsec tunnel through 501 to another PIX with a
    cisco client. The log shows that phase 1 (IKE) is completing
    successfully, but the connection fails after that. If I remove the ACL
    from the inside interface (no access-group in-out in interface inside)
    the client connects immediately.

    I know I am probably missing something obvious here, but any help would
    really be appreciated.

    Thanks.
    xman, May 15, 2005
    #1
    1. Advertising

  2. In article <>,
    xman <> wrote:
    :I have a very simple outbound ACL on a Pix 501:

    :access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0)
    :access-list in-out line 2 permit tcp any any eq www (hitcnt=130)
    :access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0)
    :access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3)
    :access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
    :access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
    :access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11)
    :access-list in-out line 8 permit tcp any any eq https (hitcnt=8)
    :access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

    :I am trying to create an ipsec tunnel through 501 to another PIX with a
    :cisco client. The log shows that phase 1 (IKE) is completing
    :successfully, but the connection fails after that. If I remove the ACL
    :from the inside interface (no access-group in-out in interface inside)
    :the client connects immediately.

    Make sure that nat-traversal is turned on on the remote pix
    (isakmp nat-traversal 20), and open outbound port udp 4500.
    --
    Would you buy a used bit from this man??
    Walter Roberson, May 15, 2005
    #2
    1. Advertising

  3. xman

    xman Guest

    Thank you very much. UDP 4500 did the trick.
    xman, May 15, 2005
    #3
  4. xman

    Paul Womar Guest

    xman <> wrote:

    > I have a very simple outbound ACL on a Pix 501:
    >
    > access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
    > access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
    >
    > I am trying to create an ipsec tunnel through 501 to another PIX with a
    > cisco client. The log shows that phase 1 (IKE) is completing
    > successfully, but the connection fails after that. If I remove the ACL
    > from the inside interface (no access-group in-out in interface inside)
    > the client connects immediately.
    >
    > I know I am probably missing something obvious here, but any help would
    > really be appreciated.


    I see you have had one answer suggested already but I suspect those two
    ACL lines above are not what you intended (i.e. opening ports for Remote
    Mail Checking Protocol & IMP Logical Address Maintenance). I would
    think you want to allow ESP & AH traffic to pass, you need to allow
    *protocols* 50 & 51 through NOT TCP *ports*. I think you probably
    intended something closer to the following:

    access-list in-out line 5 permit ah any any
    access-list in-out line 6 permit esp any any
    --
    -> The email address used in this message *IS* valid <-
    Paul Womar, May 15, 2005
    #4
  5. In article <1gwmk2r.ugl2szt8jje7N%{$PW$}@womar.co.uk>,
    Paul Womar <{$PW$}@womar.co.uk> wrote:
    :xman <> wrote:
    :> access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
    :> access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)

    :I see you have had one answer suggested already but I suspect those two
    :ACL lines above are not what you intended (i.e. opening ports for Remote
    :Mail Checking Protocol & IMP Logical Address Maintenance).

    I missed that in my answer, partly because I know that ESP and AH
    show up by name instead of by number, so I didn't "see" the 50 and 51.

    : I would
    :think you want to allow ESP & AH traffic to pass, you need to allow
    :*protocols* 50 & 51 through NOT TCP *ports*. I think you probably
    :intended something closer to the following:

    :access-list in-out line 5 permit ah any any
    :access-list in-out line 6 permit esp any any

    Those aren't needed. The structure of the ACLs suggests strongly
    that the OP is doing PAT, NAT at the very least. AH can't be
    NAT'd, and ESP can't be PAT'd, so if AH or ESP were the issue then
    probably the connection wouldn't have worked even without the
    inside ACL. ESP will work with static NAT, but if the problem were
    with ESP not getting through static NAT then the OP would have needed
    to have opened ESP from the outside to the inside, and in doing so
    would have noticed that it was a protocol rather than a port.


    When you have nat-traversal active in a PAT situation, you need
    UDP 500 and UDP 4500, and everything else is handled dynamically.

    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
    Walter Roberson, May 16, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    566
    Shad T
    Jun 29, 2004
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,066
  3. gencode

    Outbound VPN through a Pix 501

    gencode, May 2, 2005, in forum: Cisco
    Replies:
    1
    Views:
    633
    Walter Roberson
    May 2, 2005
  4. lowlife123
    Replies:
    9
    Views:
    897
    lowlife123
    Feb 25, 2006
  5. James B. Wood
    Replies:
    7
    Views:
    8,470
    keshav
    Jun 25, 2006
Loading...

Share This Page