cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1273
Views
2
Helpful
8
Replies

UDP Port 500 showing open on multiple public IP

rakuntal
Level 1
Level 1

Hi,

I have configured IPSec VPN on the WAN interface. While scanning Public IP Pool from outside, the port udp 500 is also showing open on other public IPs of the router. I am not able to understand why port 500 is showing open on other public IPs although I have opened it only on WAN interface IP. Second I want to close it on other public IPs. Pls suggest how to do it

1 Accepted Solution

Accepted Solutions

rakuntal
Level 1
Level 1

Thanks all, at the present problem, has been resolved, but don't know for how long. The problem seems to be coming from the crypto sessions it has created. Below are the steps I used for its solution.

1) crypto isakmp aggressive-mode disable

2) Removed crypto map cmap from Crypto WAN interface

3) crypto isakmp aggressive-mode disable

4) Again on WAN interface I configured crypto map cmap command

and things just worked. Don't know why but it worked. Now when I am scanning all my public IPs from outside except on WAN interface no IP is showing UDP port 500 open.

Thanks all of you

 

 

View solution in original post

8 Replies 8

@rakuntal what device are you referring to - ASA, FTD or router?

 

it is bug, 

can you please share any link for this particular bug? 

tvotna
Spotlight
Spotlight

On routers you typically have an "in" ACL applied to public interfaces which controls both transit traffic and traffic which terminates on the router itself. This should help.

rakuntal
Level 1
Level 1

Yes we have already applied ACL but I have not found anyhting .We have done multiple static NAT on the WAN interfaces and udp port 500 is showing open on NAT IPs , though I have not allowed it . Although it is configured only on WAN interface

Marvin Rhoads
Hall of Fame
Hall of Fame

If you have outbound traffic NATted to one of the other IP addresses (either static of as part of a NAT pool) then any outbound communications originating from udp/500 will try to claim the port by default.

rakuntal
Level 1
Level 1

Thanks all, at the present problem, has been resolved, but don't know for how long. The problem seems to be coming from the crypto sessions it has created. Below are the steps I used for its solution.

1) crypto isakmp aggressive-mode disable

2) Removed crypto map cmap from Crypto WAN interface

3) crypto isakmp aggressive-mode disable

4) Again on WAN interface I configured crypto map cmap command

and things just worked. Don't know why but it worked. Now when I am scanning all my public IPs from outside except on WAN interface no IP is showing UDP port 500 open.

Thanks all of you

 

 

Review Cisco Networking for a $25 gift card