VPN Firewall ports

Google is down at the moment, so I can't just grab the link and post it, but I have posted this information several times in this newsgroup. Try searching google news on

group:comp.dcom.sys.cisco author:roberson ipsec pptp l2tp ah esp

For basic IPSec VPN, you should allow inbound UDP 500, and UDP 4500 if NAT-T is supported (very common).

UDP 500 is used for IKE/ISAKMP. If you are not runn> Hi, I setup a remote vpn for a couple of users, but need to know what

And see my posting for information on where to find the other things you need if NAT-T is -not- supported (also very common)

Hmmm, what happens if you are using fixed SA (Security Associations) but you want NAT-T? In theory the two are orthogonal, with NAT-T defining encapsulation procedures and the SA fields not coming into effect until after the decapsulation. But NAT-T without IKE sounds like it would require UDP 4500 ?

On the outside router I take it that you would also need to allow ports 50 & / or 51 depending on whether this connection was using ESP, AH or both.

Regards

Darren

Those are not needed if you are using NAT-T.

Hi.

I looked up the URL you enclosed. This makes sense, however, why in the post is there examples of using both UDP 4500 with ESP & or AH as follows:

- UDP 4500 plus ESP. See Note 1. See Note 4

- UDP 4500 plus AH. See Note 2. See Note 5

Does this mean NAT-T (4500) or IPSEC over UDP port 4500. I think it refers to the latter i.e. IPSEC over UDP 4500 where this is used as a replacement for NAT-T. Furthermore, the link is saying that the VPN would break if the VPN was using IPSEC over UDP and the ISP then blocks ESP / AH.

I was confused as in the VPN reading I have done I seem to recall that the default port for Cisco's IPSEC over UDP was port 10,000.

If this is correct why do you need the ESP / AH anyway if NAT-T 4500 doesn't ?

Regards

Darren