Port used in firewall NAT traversal

50

Ports that shall be enabled when IPSec NAT traversal is used on the USG:
Destination UDP ports 500 and 4500. If no NAT device is deployed, use port 500. If any NAT device is deployed, use port 4500.
Port 51 for IP packets using the AH protocol and port 50 for IP packets using the ESP protocols.

Other related questions:
Port used in firewall NAT traversal
Ports that shall be enabled when IPSec NAT traversal is used on the USG: Destination UDP ports 500 and 4500. If no NAT device is deployed, use port 500. If any NAT device is deployed, use port 4500. Port 51 for IP packets using the AH protocol and port 50 for IP packets using the ESP protocols.

Firewall NAT traversal
NAT traversal on the USG What is IPSec NAT traversal? When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends. Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway. Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet.

Port number used by the USG for NAT traversal
The USG firewalls use open port numbers for IPSec NAT traversal. UDP packets with destination port set to 500 or 4500. If no NAT device exists, the port number is set to 500; if the NAT device exists, the port number is set to 4500. IP packets using the AH (port number set to 51) or ESP (port number set to 50).

Port used in IPSec NAT traversal scenarios on the USG2000
The initial port used in IKE negotiation is 500. After the NAT traversal capability detection and NAT gateway detection are complete, the UDP port for encapsulating ISAKMP messages is changed to 4500. The subsequent negotiation and data transmission use this port.

Port used in IPSec NAT traversal scenarios on the USG9000
The initial port used in IKE negotiation is 500. After the NAT traversal capability detection and NAT gateway detection are complete, the UDP port for encapsulating ISAKMP messages is changed to 4500. The subsequent negotiation and data transmission use this port.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top