Ports for Cisco VPN 3000 appliance

Discussion in 'Cisco' started by Doug Fox, Sep 9, 2005.

  1. Doug Fox

    Doug Fox Guest

    Which ports should I open on the firewall allowing "Site to Site" and
    "Client to Site" IP Sec VPNs as well as Clientless VPNs?

    By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
    on the internal network?

    Any info/pointers are much appreciated.

    Thanks,
    Doug Fox, Sep 9, 2005
    #1
    1. Advertising

  2. In article <>,
    Doug Fox <> wrote:
    :Which ports should I open on the firewall allowing "Site to Site" and
    :"Client to Site" IP Sec VPNs as well as Clientless VPNs?

    FAQ, answered a number of times here before, and answered on Cisco's site.

    Pure IPsec:
    udp 500, IP protocol 50 (ESP), IP protocol 51 (AH)

    If NAT-Traversal is enabled:

    udp 500, udp 4500 as a destination (no outgoing traffic from udp 4500),
    random dynamic port > 1023 as a source w/ that udp 4500 destination
    (no incoming traffic to that dynamic port)


    :By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
    :eek:n the internal network?

    Yup, but if you have AH enabled and you are not using NAT-Traversal,
    then you must use identity NAT (the IP must not be changed in this case.)

    If you do not have AH, and you are not using NAT-Traversal, then you
    can use identity NAT or 1-to-1 NAT (the IP can change in this case).

    If you are using PAT, and are not using NAT-Traversal, then you can
    might support exactly -one- active peer (and you would not be able
    to support PPTP or PPPoE on the same firewall outer interface, if I
    recall correctly.)

    If you are using PAT and you do use NAT-Traversal, there is no
    particular limit on the number of peers you can have flowing through.
    --
    "This was a Golden Age, a time of high adventure, rich living and
    hard dying... but nobody thought so." -- Alfred Bester, TSMD
    Walter Roberson, Sep 9, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug Fox

    Ports for a VPN 3000 Concentrator

    Doug Fox, Sep 9, 2005, in forum: Cisco
    Replies:
    0
    Views:
    357
    Doug Fox
    Sep 9, 2005
  2. Doug Fox

    Ports for Clientless VPN on Cisco VPN 3000 Series

    Doug Fox, Sep 9, 2005, in forum: Computer Security
    Replies:
    2
    Views:
    674
    Imhotep
    Sep 9, 2005
  3. Replies:
    1
    Views:
    764
    James
    Aug 22, 2006
  4. Ramon F Herrera
    Replies:
    7
    Views:
    619
    DA Morgan
    Mar 3, 2007
  5. Giuen
    Replies:
    0
    Views:
    747
    Giuen
    Sep 12, 2008
Loading...

Share This Page