IPSEC tunnel through outbound ACL on PIX 501

In article , xman wrote: :I have a very simple outbound ACL on a Pix 501:

:access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0) :access-list in-out line 2 permit tcp any any eq www (hitcnt=130) :access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0) :access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3) :access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0) :access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0) :access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11) :access-list in-out line 8 permit tcp any any eq https (hitcnt=8) :access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

:I am trying to create an ipsec tunnel through 501 to another PIX with a :cisco client. The log shows that phase 1 (IKE) is completing :successfully, but the connection fails after that. If I remove the ACL :from the inside interface (no access-group in-out in interface inside) :the client connects immediately.

Make sure that nat-traversal is turned on on the remote pix (isakmp nat-traversal 20), and open outbound port udp 4500.

Thank you very much. UDP 4500 did the trick.

I see you have had one answer suggested already but I suspect those two ACL lines above are not what you intended (i.e. opening ports for Remote Mail Checking Protocol & IMP Logical Address Maintenance). I would think you want to allow ESP & AH traffic to pass, you need to allow

*protocols* 50 & 51 through NOT TCP *ports*. I think you probably intended something closer to the following:

access-list in-out line 5 permit ah any any access-list in-out line 6 permit esp any any

In article , Paul Womar wrote: :xman wrote: :> access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0) :> access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)

:I see you have had one answer suggested already but I suspect those two :ACL lines above are not what you intended (i.e. opening ports for Remote :Mail Checking Protocol & IMP Logical Address Maintenance).

I missed that in my answer, partly because I know that ESP and AH show up by name instead of by number, so I didn't "see" the 50 and 51.

: I would :think you want to allow ESP & AH traffic to pass, you need to allow :*protocols* 50 & 51 through NOT TCP *ports*. I think you probably :intended something closer to the following:

:access-list in-out line 5 permit ah any any :access-list in-out line 6 permit esp any any

Those aren't needed. The structure of the ACLs suggests strongly that the OP is doing PAT, NAT at the very least. AH can't be NAT'd, and ESP can't be PAT'd, so if AH or ESP were the issue then probably the connection wouldn't have worked even without the inside ACL. ESP will work with static NAT, but if the problem were with ESP not getting through static NAT then the OP would have needed to have opened ESP from the outside to the inside, and in doing so would have noticed that it was a protocol rather than a port.

When you have nat-traversal active in a PAT situation, you need UDP 500 and UDP 4500, and everything else is handled dynamically.