Cisco Router and IP Protocols for IPsec

Dana J. Dawson dana at INTERPRISE.COM
Fri Jan 7 15:59:57 EST 2000 

"Chen, Ken C" wrote:
>
> Can you specify which IP Protocols are allowed and denied through
> access-lists on a Cisco router?  We found that "permit IP" was necessary
> before a few implementations would work.  This is a little open ended, and
> we'd like to secure the connection a little better.
>
> If someone could provide the command line arguments and maybe an example
> ACL, it would be appreciated!
>
> Thanks!
>
> VPN is sponsored by SecurityFocus.COM

Here's the output of "access-list 100 permit ?" in a Cisco router:

> Router(config)#access-list 100 permit ?
>   <0-255>  An IP protocol number
>   ahp      Authentication Header Protocol
>   eigrp    Cisco's EIGRP routing protocol
>   esp      Encapsulation Security Payload
>   gre      Cisco's GRE tunneling
>   icmp     Internet Control Message Protocol
>   igmp     Internet Gateway Message Protocol
>   igrp     Cisco's IGRP routing protocol
>   ip       Any Internet Protocol
>   ipinip   IP in IP tunneling
>   nos      KA9Q NOS compatible IP over IP tunneling
>   ospf     OSPF routing protocol
>   pcp      Payload Compression Protocol
>   pim      Protocol Independent Multicast
>   tcp      Transmission Control Protocol
>   udp      User Datagram Protocol

Instead of "ip", you can specify a protocol number (0-255), or one of the
keywords above if you don't remember the appropriate number.  Since IPSec uses
IP protocols 50 (esp) and 51 (ah) and UDP port 500, here's a common access-list
to allow IPSec:

    access-list 100 permit 50 any host 1.2.3.4
    access-list 100 permit 51 any host 1.2.3.4
    access-list 100 permit udp any host 1.2.3.4 eq 500

When you look at the configuration, the router will display this list like this,
since it replaces most common protocol and port numbers with the corresponding
keywords (you can use the kewords instead of the numbers if you want when you
enter the list, too):

    access-list 100 permit esp any host 1.2.3.4
    access-list 100 permit ahp any host 1.2.3.4
    access-list 100 permit udp any host 1.2.3.4 eq isakmp

The above list allows IPSec traffic from anywhere (the "any" keyword) to the
host at IP address "1.2.3.4".

HTH

Dana

--
Dana J. Dawson                         dana at interprise.com
Distinguished Principal Engineer       CCIE #1937
!NTERPRISE Networking Services         (612) 664-3364
U S WEST                               (612) 664-4779 (FAX)
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list