In article , Doug Fox wrote: :Which ports should I open on the firewall allowing "Site to Site" and :"Client to Site" IP Sec VPNs as well as Clientless VPNs?
FAQ, answered a number of times here before, and answered on Cisco's site.
Pure IPsec: udp 500, IP protocol 50 (ESP), IP protocol 51 (AH)
If NAT-Traversal is enabled:
udp 500, udp 4500 as a destination (no outgoing traffic from udp 4500), random dynamic port > 1023 as a source w/ that udp 4500 destination (no incoming traffic to that dynamic port)
:By the way, can this Cisco VPN be placed in the DMZ or behind the firewall :on the internal network?
Yup, but if you have AH enabled and you are not using NAT-Traversal, then you must use identity NAT (the IP must not be changed in this case.)
If you do not have AH, and you are not using NAT-Traversal, then you can use identity NAT or 1-to-1 NAT (the IP can change in this case).
If you are using PAT, and are not using NAT-Traversal, then you can might support exactly -one- active peer (and you would not be able to support PPTP or PPPoE on the same firewall outer interface, if I recall correctly.)
If you are using PAT and you do use NAT-Traversal, there is no particular limit on the number of peers you can have flowing through.