Off Topic: Cicso ACL for IP 50 and 51

Dana J. Dawson dana at INTERPRISE.COM
Tue Mar 28 11:03:32 EST 2000


Scott Armstrong wrote:
>
> Sorry if this is off topic, but I thought I'd ask.
>
> I have a Cisco 2514 router (IOS version 11.2) that's between my VPN client and server.  I need to allow IP protocol 50 and 51 through to get the VPN to work.
>
> Does anyone know what the IOS commands are to enable IP protocol 50 and 51 on a Cisco router?
>
> Thanks in advance,
> Scott Armstrong
>
> VPN is sponsored by SecurityFocus.COM

The commands you need should be something like this:

  access-list 101 permit 50 S.S.S.S  M.M.M.M  D.D.D.D  M.M.M.M
  access-list 101 permit 51 S.S.S.S  M.M.M.M  D.D.D.D  M.M.M.M

Where "S.S.S.S" is the source address you want to allow, "D.D.D.D" is the
destination address, and the "M.M.M.M" fields are the respective masks for the
previous addresses.  Note that Cisco uses "backwards" masks in access-lists
compared to real subnet masks (i.e. zeros where you care and ones where you
don't care).  So, for example, if you wanted to allow all hosts on the
192.168.1.0 subnet with a standard Class C mask of 255.255.255.0, then you would
use an address of 192.168.1.0 and a mask of 0.0.0.255 in your access-list.
Also, the router may translate the protocol numbers (50 and 51) for you, so when
you look at the config later they may show up as "esp" and "ah".

Hope this helps.

Dana

--
Dana J. Dawson                         dana at interprise.com
Distinguished Principal Engineer       CCIE #1937
!NTERPRISE Networking Services         (612) 664-3364
U S WEST                               (612) 664-4779 (FAX)
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list