Ports for Clientless VPN on Cisco VPN 3000 Series

Discussion in 'Computer Security' started by Doug Fox, Sep 9, 2005.

  1. Doug Fox

    Doug Fox Guest

    Which ports should I open on the firewall allowing "Site to Site" and
    "Client to Site" IP Sec VPNs as well as Clientless VPNs?

    By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
    on the internal network?

    Any info/pointers are much appreciated.

    Doug Fox, Sep 9, 2005
    1. Advertisements

  2. Doug Fox

    Imhotep Guest

    What configuration are you using? Are you doing NAT Transversal (NAT-T)? Are
    you using ESP or AH?

    If you are using VPN for clients I would suggest using NAT-T...The reason is
    that a lot of home users use NAT/PAT which can cause problems for ESP.
    Which is why NAT-T was invented....

    I have not used clientless VPN with Cisco yet. Usually, but not always, they
    use the secure web ports 443...

    I hope that helps. Please reply back with your specific configuration

    Imhotep, Sep 9, 2005
    1. Advertisements

  3. Doug Fox

    Imhotep Guest

    Ah, I almost forgot.

    VPN (non NAT-T) uses either ESP or AH. These ARE NOT TCP/UDP ports but IP
    protocol numbers:

    ESP IP protocol type 50
    AH IP protocol type 51

    Either choice will use isakmp on port 500 udp

    NAT-T is different let me know if you are using it and I will explain it as
    I understand it...basically it encapsulates either ESP or AH packets and
    sends them over a UDP port (most people use UDP 10000)

    Imhotep, Sep 9, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.