500 is phase I 4500 is phase II. If you only want to allow initiated traffic from inside to outside you don't have to allow 500 as it will do flow creation for it. 4500 must be allowed if it is doing NAT. So what if NAT is not performed? Wouldn't the question depend on NAT? So 4500 or ESP.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Bruno Sent: Friday, August 05, 2011 11:10 AM To: CCIE Security Maillist Subject: [OSL | CCIE_Security] OEQ - Yusuf - VPN NAT-T Question: When the Cisco ASA firewall is placed in between two IPsec routers as shown in the exhibit, which protocol/port number must be allowed on the ASA access list? Correct Answer: UDP port 4500 What about udp/500 ? Isn't it required as well ? It starts on udp/500 and then floats to udp/4500 as per my understanding -- Bruno Fagioli Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
