Which ports should I open on the firewall allowing "Site to Site" and "Client to Site" IP Sec VPNs as well as Clientless VPNs?
By the way, can this Cisco VPN be placed in the DMZ or behind the firewall on the internal network?
Any info/pointers are much appreciated.
Thanks,
In article , Doug Fox wrote: :Which ports should I open on the firewall allowing "Site to Site" and :"Client to Site" IP Sec VPNs as well as Clientless VPNs?
FAQ, answered a number of times here before, and answered on Cisco's site.
Pure IPsec: udp 500, IP protocol 50 (ESP), IP protocol 51 (AH)
If NAT-Traversal is enabled:
udp 500, udp 4500 as a destination (no outgoing traffic from udp 4500), random dynamic port > 1023 as a source w/ that udp 4500 destination (no incoming traffic to that dynamic port)
:By the way, can this Cisco VPN be placed in the DMZ or behind the firewall :on the internal network?
Yup, but if you have AH enabled and you are not using NAT-Traversal, then you must use identity NAT (the IP must not be changed in this case.)
If you do not have AH, and you are not using NAT-Traversal, then you can use identity NAT or 1-to-1 NAT (the IP can change in this case).
If you are using PAT, and are not using NAT-Traversal, then you can might support exactly -one- active peer (and you would not be able to support PPTP or PPPoE on the same firewall outer interface, if I recall correctly.)
If you are using PAT and you do use NAT-Traversal, there is no particular limit on the number of peers you can have flowing through.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.