Off Topic: Cicso ACL for IP 50 and 51
Dana J. Dawson
dana at INTERPRISE.COM
Tue Mar 28 11:03:32 EST 2000
Scott Armstrong wrote:
>
> Sorry if this is off topic, but I thought I'd ask.
>
> I have a Cisco 2514 router (IOS version 11.2) that's between my VPN client and server. I need to allow IP protocol 50 and 51 through to get the VPN to work.
>
> Does anyone know what the IOS commands are to enable IP protocol 50 and 51 on a Cisco router?
>
> Thanks in advance,
> Scott Armstrong
>
> VPN is sponsored by SecurityFocus.COM
The commands you need should be something like this:
access-list 101 permit 50 S.S.S.S M.M.M.M D.D.D.D M.M.M.M
access-list 101 permit 51 S.S.S.S M.M.M.M D.D.D.D M.M.M.M
Where "S.S.S.S" is the source address you want to allow, "D.D.D.D" is the
destination address, and the "M.M.M.M" fields are the respective masks for the
previous addresses. Note that Cisco uses "backwards" masks in access-lists
compared to real subnet masks (i.e. zeros where you care and ones where you
don't care). So, for example, if you wanted to allow all hosts on the
192.168.1.0 subnet with a standard Class C mask of 255.255.255.0, then you would
use an address of 192.168.1.0 and a mask of 0.0.0.255 in your access-list.
Also, the router may translate the protocol numbers (50 and 51) for you, so when
you look at the config later they may show up as "esp" and "ah".
Hope this helps.
Dana
--
Dana J. Dawson dana at interprise.com
Distinguished Principal Engineer CCIE #1937
!NTERPRISE Networking Services (612) 664-3364
U S WEST (612) 664-4779 (FAX)
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list