Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Ports for Clientless VPN on Cisco VPN 3000 Series

Reply
Thread Tools

Ports for Clientless VPN on Cisco VPN 3000 Series

 
 
Doug Fox
Guest
Posts: n/a
 
      09-09-2005
Which ports should I open on the firewall allowing "Site to Site" and
"Client to Site" IP Sec VPNs as well as Clientless VPNs?

By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
on the internal network?

Any info/pointers are much appreciated.

Thanks,


 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      09-09-2005
Doug Fox wrote:

> Which ports should I open on the firewall allowing "Site to Site" and
> "Client to Site" IP Sec VPNs as well as Clientless VPNs?
>
> By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
> on the internal network?
>
> Any info/pointers are much appreciated.
>
> Thanks,


What configuration are you using? Are you doing NAT Transversal (NAT-T)? Are
you using ESP or AH?

If you are using VPN for clients I would suggest using NAT-T...The reason is
that a lot of home users use NAT/PAT which can cause problems for ESP.
Which is why NAT-T was invented....

I have not used clientless VPN with Cisco yet. Usually, but not always, they
use the secure web ports 443...

I hope that helps. Please reply back with your specific configuration
requirements...


Imhotep
 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      09-09-2005
Imhotep wrote:

> Doug Fox wrote:
>
>> Which ports should I open on the firewall allowing "Site to Site" and
>> "Client to Site" IP Sec VPNs as well as Clientless VPNs?
>>
>> By the way, can this Cisco VPN be placed in the DMZ or behind the
>> firewall on the internal network?
>>
>> Any info/pointers are much appreciated.
>>
>> Thanks,

>
> What configuration are you using? Are you doing NAT Transversal (NAT-T)?
> Are you using ESP or AH?
>
> If you are using VPN for clients I would suggest using NAT-T...The reason
> is that a lot of home users use NAT/PAT which can cause problems for ESP.
> Which is why NAT-T was invented....
>
> I have not used clientless VPN with Cisco yet. Usually, but not always,
> they use the secure web ports 443...
>
> I hope that helps. Please reply back with your specific configuration
> requirements...
>
>
> Imhotep



Ah, I almost forgot.

VPN (non NAT-T) uses either ESP or AH. These ARE NOT TCP/UDP ports but IP
protocol numbers:

ESP IP protocol type 50
AH IP protocol type 51

Either choice will use isakmp on port 500 udp

NAT-T is different let me know if you are using it and I will explain it as
I understand it...basically it encapsulates either ESP or AH packets and
sends them over a UDP port (most people use UDP 10000)

Im
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN 3000 Series connecting to a DLINK DI 804HV Ginger Cisco 5 02-07-2007 05:43 PM
Anyone clustering ASA5000-series boxes with 3000-series VPN concentrators Heath Roberts Cisco 0 10-27-2006 02:45 PM
Ports for Cisco VPN 3000 appliance Doug Fox Cisco 1 09-09-2005 12:52 AM
VPN 3005 SSL "clientless" and VPN client performance Evan Wagner Cisco 2 04-06-2004 03:30 PM
What is the difference between A Series, G Series and S series of Canon Cameras zxcvar Digital Photography 3 09-09-2003 01:30 AM



Advertisments