Ports for Clientless VPN on Cisco VPN 3000 Series

Discussion in 'Computer Security' started by Doug Fox, Sep 9, 2005.

  1. Doug Fox

    Doug Fox Guest

    Which ports should I open on the firewall allowing "Site to Site" and
    "Client to Site" IP Sec VPNs as well as Clientless VPNs?

    By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
    on the internal network?

    Any info/pointers are much appreciated.

    Thanks,
    Doug Fox, Sep 9, 2005
    #1
    1. Advertising

  2. Doug Fox

    Imhotep Guest

    Doug Fox wrote:

    > Which ports should I open on the firewall allowing "Site to Site" and
    > "Client to Site" IP Sec VPNs as well as Clientless VPNs?
    >
    > By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
    > on the internal network?
    >
    > Any info/pointers are much appreciated.
    >
    > Thanks,


    What configuration are you using? Are you doing NAT Transversal (NAT-T)? Are
    you using ESP or AH?

    If you are using VPN for clients I would suggest using NAT-T...The reason is
    that a lot of home users use NAT/PAT which can cause problems for ESP.
    Which is why NAT-T was invented....

    I have not used clientless VPN with Cisco yet. Usually, but not always, they
    use the secure web ports 443...

    I hope that helps. Please reply back with your specific configuration
    requirements...


    Imhotep
    Imhotep, Sep 9, 2005
    #2
    1. Advertising

  3. Doug Fox

    Imhotep Guest

    Imhotep wrote:

    > Doug Fox wrote:
    >
    >> Which ports should I open on the firewall allowing "Site to Site" and
    >> "Client to Site" IP Sec VPNs as well as Clientless VPNs?
    >>
    >> By the way, can this Cisco VPN be placed in the DMZ or behind the
    >> firewall on the internal network?
    >>
    >> Any info/pointers are much appreciated.
    >>
    >> Thanks,

    >
    > What configuration are you using? Are you doing NAT Transversal (NAT-T)?
    > Are you using ESP or AH?
    >
    > If you are using VPN for clients I would suggest using NAT-T...The reason
    > is that a lot of home users use NAT/PAT which can cause problems for ESP.
    > Which is why NAT-T was invented....
    >
    > I have not used clientless VPN with Cisco yet. Usually, but not always,
    > they use the secure web ports 443...
    >
    > I hope that helps. Please reply back with your specific configuration
    > requirements...
    >
    >
    > Imhotep



    Ah, I almost forgot.

    VPN (non NAT-T) uses either ESP or AH. These ARE NOT TCP/UDP ports but IP
    protocol numbers:

    ESP IP protocol type 50
    AH IP protocol type 51

    Either choice will use isakmp on port 500 udp

    NAT-T is different let me know if you are using it and I will explain it as
    I understand it...basically it encapsulates either ESP or AH packets and
    sends them over a UDP port (most people use UDP 10000)

    Im
    Imhotep, Sep 9, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Evan Wagner
    Replies:
    2
    Views:
    584
    Evan Wagner
    Apr 6, 2004
  2. Doug Fox

    Ports for Cisco VPN 3000 appliance

    Doug Fox, Sep 9, 2005, in forum: Cisco
    Replies:
    1
    Views:
    817
    Walter Roberson
    Sep 9, 2005
  3. Heath Roberts
    Replies:
    0
    Views:
    652
    Heath Roberts
    Oct 27, 2006
  4. Ginger
    Replies:
    5
    Views:
    766
    Ginger
    Feb 7, 2007
  5. Giuen
    Replies:
    0
    Views:
    833
    Giuen
    Sep 12, 2008
Loading...

Share This Page