VPN Firewall ports

Discussion in 'Cisco' started by jtrooney@gmail.com, Sep 8, 2006.

  1. Guest

    Hi, I setup a remote vpn for a couple of users, but need to know what
    ports need to be open on my router to allow their vpn connection. I am
    using just a basic ipsec vpn. Thanks in advance.


    Remote user ---> cisco 2600 router ---> pix 515E
    , Sep 8, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Hi, I setup a remote vpn for a couple of users, but need to know what
    >ports need to be open on my router to allow their vpn connection. I am
    >using just a basic ipsec vpn. Thanks in advance.


    >Remote user ---> cisco 2600 router ---> pix 515E


    Google is down at the moment, so I can't just grab the link and
    post it, but I have posted this information several times in this
    newsgroup. Try searching google news on

    group:comp.dcom.sys.cisco author:roberson ipsec pptp l2tp ah esp
    Walter Roberson, Sep 8, 2006
    #2
    1. Advertising

  3. CCIE 15766 Guest

    For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
    NAT-T is supported (very common).

    UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
    is very uncommon), you do not need to open it (neither UDP 4500).

    wrote:
    > Hi, I setup a remote vpn for a couple of users, but need to know what
    > ports need to be open on my router to allow their vpn connection. I am
    > using just a basic ipsec vpn. Thanks in advance.
    >
    >
    > Remote user ---> cisco 2600 router ---> pix 515E
    CCIE 15766, Sep 8, 2006
    #3
  4. In article <>,
    CCIE 15766 <> wrote:
    >For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
    >NAT-T is supported (very common).


    And see my posting for information on where to find the other things
    you need if NAT-T is -not- supported (also very common)


    >UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
    >is very uncommon), you do not need to open it (neither UDP 4500).


    Hmmm, what happens if you are using fixed SA (Security Associations) but
    you want NAT-T? In theory the two are orthogonal, with NAT-T defining
    encapsulation procedures and the SA fields not coming into effect
    until after the decapsulation. But NAT-T without IKE sounds like it
    would require UDP 4500 ?
    Walter Roberson, Sep 8, 2006
    #4
  5. Darren Green Guest

    "Walter Roberson" <> wrote in message
    news:eGkMg.517950$Mn5.509270@pd7tw3no...
    > In article <>,
    > CCIE 15766 <> wrote:
    >>For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if
    >>NAT-T is supported (very common).

    >
    > And see my posting for information on where to find the other things
    > you need if NAT-T is -not- supported (also very common)
    >
    >
    >>UDP 500 is used for IKE/ISAKMP. If you are not running IKE/ISAKMP (that
    >>is very uncommon), you do not need to open it (neither UDP 4500).

    >
    > Hmmm, what happens if you are using fixed SA (Security Associations) but
    > you want NAT-T? In theory the two are orthogonal, with NAT-T defining
    > encapsulation procedures and the SA fields not coming into effect
    > until after the decapsulation. But NAT-T without IKE sounds like it
    > would require UDP 4500 ?


    On the outside router I take it that you would also need to allow ports 50 &
    / or 51 depending on whether this connection was using ESP, AH or both.

    Regards

    Darren
    Darren Green, Sep 9, 2006
    #5
  6. Walter Roberson, Sep 9, 2006
    #6
  7. Darren Green Guest

    "Walter Roberson" <> wrote in message
    news:jHAMg.534988$IK3.403965@pd7tw1no...
    > In article <>,
    > Darren Green <> wrote:
    >
    >>On the outside router I take it that you would also need to allow ports 50
    >>&
    >>/ or 51 depending on whether this connection was using ESP, AH or both.

    >
    > Those are not needed if you are using NAT-T.
    >
    > http://groups.google.ca/group/comp.dcom.sys.cisco/msg/5c0c24806cde9f6b


    Walter,

    Hi.

    I looked up the URL you enclosed. This makes sense, however, why in the post
    is there examples of using both UDP 4500 with ESP & or AH as follows:

    - UDP 4500 plus ESP. See Note 1. See Note 4
    - UDP 4500 plus AH. See Note 2. See Note 5

    Does this mean NAT-T (4500) or IPSEC over UDP port 4500. I think it refers
    to the latter i.e. IPSEC over UDP 4500 where this is used as a replacement
    for NAT-T. Furthermore, the link is saying that the VPN would break if the
    VPN was using IPSEC over UDP and the ISP then blocks ESP / AH.

    I was confused as in the VPN reading I have done I seem to recall that the
    default port for Cisco's IPSEC over UDP was port 10,000.

    If this is correct why do you need the ESP / AH anyway if NAT-T 4500 doesn't
    ?

    Regards

    Darren
    Darren Green, Sep 10, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alabama Circus
    Replies:
    1
    Views:
    15,222
    gene martinez
    Jun 4, 2005
  2. Replies:
    1
    Views:
    538
    Walter Roberson
    Jun 14, 2005
  3. asj
    Replies:
    4
    Views:
    3,320
  4. Doug Fox

    Ports for Clientless VPN on Cisco VPN 3000 Series

    Doug Fox, Sep 9, 2005, in forum: Computer Security
    Replies:
    2
    Views:
    683
    Imhotep
    Sep 9, 2005
  5. Mike
    Replies:
    27
    Views:
    1,456
Loading...

Share This Page