«

Hi, I setup a remote vpn for a couple of users, but need to know what
ports need to be open on my router to allow their vpn connection. I am
using just a basic ipsec vpn. Thanks in advance.


Remote user ---> cisco 2600 router ---> pix 515E

In article <. com>,
<> wrote:
>Hi, I setup a remote vpn for a couple of users, but need to know what
>ports need to be open on my router to allow their vpn connection. I am
>using just a basic ipsec vpn. Thanks in advance.

>Remote user ---> cisco 2600 router ---> pix 515E

Google is down at the moment, so I can't just grab the link and
post it, but I have posted this information several times in this
newsgroup. Try searching google news on

group:comp.dcom.sys.cisco author:roberson ipsec pptp l2tp ah esp

For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
NAT-T is supported (very common).

UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
is very uncommon), you do not need to open it (neither UDP 4500).

wrote:
> Hi, I setup a remote vpn for a couple of users, but need to know what
> ports need to be open on my router to allow their vpn connection. I am
> using just a basic ipsec vpn. Thanks in advance.
>
>
> Remote user ---> cisco 2600 router ---> pix 515E

In article <. com>,
CCIE 15766 <> wrote:
>For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
>NAT-T is supported (very common).

And see my posting for information on where to find the other things
you need if NAT-T is -not- supported (also very common)


>UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
>is very uncommon), you do not need to open it (neither UDP 4500).

Hmmm, what happens if you are using fixed SA (Security Associations) but
you want NAT-T? In theory the two are orthogonal, with NAT-T defining
encapsulation procedures and the SA fields not coming into effect
until after the decapsulation. But NAT-T without IKE sounds like it
would require UDP 4500 ?

"Walter Roberson" <> wrote in message
news:eGkMg.517950$Mn5.509270@pd7tw3no...
> In article <. com>,
> CCIE 15766 <> wrote:
>>For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
>>NAT-T is supported (very common).
>
> And see my posting for information on where to find the other things
> you need if NAT-T is -not- supported (also very common)
>
>
>>UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
>>is very uncommon), you do not need to open it (neither UDP 4500).
>
> Hmmm, what happens if you are using fixed SA (Security Associations) but
> you want NAT-T? In theory the two are orthogonal, with NAT-T defining
> encapsulation procedures and the SA fields not coming into effect
> until after the decapsulation. But NAT-T without IKE sounds like it
> would require UDP 4500 ?

On the outside router I take it that you would also need to allow ports 50 &
/ or 51 depending on whether this connection was using ESP, AH or both.

Regards

Darren

In article <>,
Darren Green <> wrote:

>On the outside router I take it that you would also need to allow ports 50 &
>/ or 51 depending on whether this connection was using ESP, AH or both.

Those are not needed if you are using NAT-T.

http://groups.google.ca/group/comp.d...0c24806cde9f6b

"Walter Roberson" <> wrote in message
news:jHAMg.534988$IK3.403965@pd7tw1no...
> In article <>,
> Darren Green <> wrote:
>
>>On the outside router I take it that you would also need to allow ports 50
>>&
>>/ or 51 depending on whether this connection was using ESP, AH or both.
>
> Those are not needed if you are using NAT-T.
>
> http://groups.google.ca/group/comp.d...0c24806cde9f6b

Walter,

Hi.

I looked up the URL you enclosed. This makes sense, however, why in the post
is there examples of using both UDP 4500 with ESP & or AH as follows:

- UDP 4500 plus ESP. See Note 1. See Note 4
- UDP 4500 plus AH. See Note 2. See Note 5

Does this mean NAT-T (4500) or IPSEC over UDP port 4500. I think it refers
to the latter i.e. IPSEC over UDP 4500 where this is used as a replacement
for NAT-T. Furthermore, the link is saying that the VPN would break if the
VPN was using IPSEC over UDP and the ISP then blocks ESP / AH.

I was confused as in the VPN reading I have done I seem to recall that the
default port for Cisco's IPSEC over UDP was port 10,000.

If this is correct why do you need the ESP / AH anyway if NAT-T 4500 doesn't
?

Regards

Darren