Hi, I setup a remote vpn for a couple of users, but need to know what ports need to be open on my router to allow their vpn connection. I am using just a basic ipsec vpn. Thanks in advance.
Remote user ---> cisco 2600 router ---> pix 515E
Hi, I setup a remote vpn for a couple of users, but need to know what ports need to be open on my router to allow their vpn connection. I am using just a basic ipsec vpn. Thanks in advance.
Remote user ---> cisco 2600 router ---> pix 515E
Google is down at the moment, so I can't just grab the link and post it, but I have posted this information several times in this newsgroup. Try searching google news on
group:comp.dcom.sys.cisco author:roberson ipsec pptp l2tp ah esp
For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if NAT-T is supported (very common).
UDP 500 is used for IKE/ISAKMP. If you are not runn> Hi, I setup a remote vpn for a couple of users, but need to know what
And see my posting for information on where to find the other things you need if NAT-T is -not- supported (also very common)
Hmmm, what happens if you are using fixed SA (Security Associations) but you want NAT-T? In theory the two are orthogonal, with NAT-T defining encapsulation procedures and the SA fields not coming into effect until after the decapsulation. But NAT-T without IKE sounds like it would require UDP 4500 ?
On the outside router I take it that you would also need to allow ports 50 & / or 51 depending on whether this connection was using ESP, AH or both.
Regards
Darren
Those are not needed if you are using NAT-T.
Hi.
I looked up the URL you enclosed. This makes sense, however, why in the post is there examples of using both UDP 4500 with ESP & or AH as follows:
- UDP 4500 plus ESP. See Note 1. See Note 4
- UDP 4500 plus AH. See Note 2. See Note 5
Does this mean NAT-T (4500) or IPSEC over UDP port 4500. I think it refers to the latter i.e. IPSEC over UDP 4500 where this is used as a replacement for NAT-T. Furthermore, the link is saying that the VPN would break if the VPN was using IPSEC over UDP and the ISP then blocks ESP / AH.
I was confused as in the VPN reading I have done I seem to recall that the default port for Cisco's IPSEC over UDP was port 10,000.
If this is correct why do you need the ESP / AH anyway if NAT-T 4500 doesn't ?
Regards
Darren
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.