Doesn't the vpn from a router run nat-t by default so if 500 is blocked it goes to other ports or tcp for the connection
From: [email protected] [mailto:[email protected]] On Behalf Of Asif Khan Sent: 30 January 2010 12:46 To: [email protected] Subject: [OSL | CCIE_Security] udp port 500 required? Hello group, Topology: R1 <-> ASA <-> R2 Traffic between R1 lo0(1.1.1.1) and R2 lo0(2.2.2.2) protected by l2l IPSec. I am using the following ACL on both inside and outside interfaces of ASA: access-list VPN extended deny udp any any log access-list VPN extended permit esp any any access-group VPN in interface outside access-group VPN in interface inside but I am able to bring up the tunnel from both inside and outside ... Shouldn't blocking udp500/4500 block the tunnel construction? Thanks in Advance, - Asif
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
