Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN Firewall ports

Reply
Thread Tools

VPN Firewall ports

 
 
jtrooney@gmail.com
Guest
Posts: n/a
 
      09-08-2006
Hi, I setup a remote vpn for a couple of users, but need to know what
ports need to be open on my router to allow their vpn connection. I am
using just a basic ipsec vpn. Thanks in advance.


Remote user ---> cisco 2600 router ---> pix 515E

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-08-2006
In article <(E-Mail Removed). com>,
http://www.velocityreviews.com/forums/(E-Mail Removed) <(E-Mail Removed)> wrote:
>Hi, I setup a remote vpn for a couple of users, but need to know what
>ports need to be open on my router to allow their vpn connection. I am
>using just a basic ipsec vpn. Thanks in advance.


>Remote user ---> cisco 2600 router ---> pix 515E


Google is down at the moment, so I can't just grab the link and
post it, but I have posted this information several times in this
newsgroup. Try searching google news on

group:comp.dcom.sys.cisco author:roberson ipsec pptp l2tp ah esp

 
Reply With Quote
 
 
 
 
CCIE 15766
Guest
Posts: n/a
 
      09-08-2006
For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
NAT-T is supported (very common).

UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
is very uncommon), you do not need to open it (neither UDP 4500).

(E-Mail Removed) wrote:
> Hi, I setup a remote vpn for a couple of users, but need to know what
> ports need to be open on my router to allow their vpn connection. I am
> using just a basic ipsec vpn. Thanks in advance.
>
>
> Remote user ---> cisco 2600 router ---> pix 515E


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-08-2006
In article <(E-Mail Removed). com>,
CCIE 15766 <(E-Mail Removed)> wrote:
>For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
>NAT-T is supported (very common).


And see my posting for information on where to find the other things
you need if NAT-T is -not- supported (also very common)


>UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
>is very uncommon), you do not need to open it (neither UDP 4500).


Hmmm, what happens if you are using fixed SA (Security Associations) but
you want NAT-T? In theory the two are orthogonal, with NAT-T defining
encapsulation procedures and the SA fields not coming into effect
until after the decapsulation. But NAT-T without IKE sounds like it
would require UDP 4500 ?
 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      09-09-2006

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:eGkMg.517950$Mn5.509270@pd7tw3no...
> In article <(E-Mail Removed). com>,
> CCIE 15766 <(E-Mail Removed)> wrote:
>>For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
>>NAT-T is supported (very common).

>
> And see my posting for information on where to find the other things
> you need if NAT-T is -not- supported (also very common)
>
>
>>UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
>>is very uncommon), you do not need to open it (neither UDP 4500).

>
> Hmmm, what happens if you are using fixed SA (Security Associations) but
> you want NAT-T? In theory the two are orthogonal, with NAT-T defining
> encapsulation procedures and the SA fields not coming into effect
> until after the decapsulation. But NAT-T without IKE sounds like it
> would require UDP 4500 ?


On the outside router I take it that you would also need to allow ports 50 &
/ or 51 depending on whether this connection was using ESP, AH or both.

Regards

Darren


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-09-2006
In article <(E-Mail Removed)>,
Darren Green <(E-Mail Removed)> wrote:

>On the outside router I take it that you would also need to allow ports 50 &
>/ or 51 depending on whether this connection was using ESP, AH or both.


Those are not needed if you are using NAT-T.

http://groups.google.ca/group/comp.d...0c24806cde9f6b
 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      09-10-2006

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:jHAMg.534988$IK3.403965@pd7tw1no...
> In article <(E-Mail Removed)>,
> Darren Green <(E-Mail Removed)> wrote:
>
>>On the outside router I take it that you would also need to allow ports 50
>>&
>>/ or 51 depending on whether this connection was using ESP, AH or both.

>
> Those are not needed if you are using NAT-T.
>
> http://groups.google.ca/group/comp.d...0c24806cde9f6b


Walter,

Hi.

I looked up the URL you enclosed. This makes sense, however, why in the post
is there examples of using both UDP 4500 with ESP & or AH as follows:

- UDP 4500 plus ESP. See Note 1. See Note 4
- UDP 4500 plus AH. See Note 2. See Note 5

Does this mean NAT-T (4500) or IPSEC over UDP port 4500. I think it refers
to the latter i.e. IPSEC over UDP 4500 where this is used as a replacement
for NAT-T. Furthermore, the link is saying that the VPN would break if the
VPN was using IPSEC over UDP and the ISP then blocks ESP / AH.

I was confused as in the VPN reading I have done I seem to recall that the
default port for Cisco's IPSEC over UDP was port 10,000.

If this is correct why do you need the ESP / AH anyway if NAT-T 4500 doesn't
?

Regards

Darren


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Recommendations Please for a PCI card w/ two USB 2 Ports and FireWaire Ports Mike Digital Photography 27 02-26-2006 12:54 AM
how to enable the vpn ports in the pix firewall asj Cisco 4 09-21-2005 12:01 PM
Ports for Clientless VPN on Cisco VPN 3000 Series Doug Fox Computer Security 2 09-09-2005 01:05 AM
Increasing data transfer on a firewall to firewall vpn connection providencebuddy@yahoo.com Cisco 1 06-14-2005 10:20 PM
Ports to open to the firewall (Hide Nat, Cisco VPN) Alabama Circus Cisco 1 06-04-2005 12:15 PM



Advertisments