Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
5
Helpful
1
Replies

Cisco 3005 Concentrator behind 3rd party firewall

chinwales
Level 1
Level 1

‎07-07-2004 01:17 AM - edited ‎03-09-2019 07:59 AM

Hello.

I want to put our Cisco 3005 concentrator behind a Watchguard Firebox 700 firewall - can anybody give any help or advice with this? Particularly, which ports will I need to unlock to allow vpn tunnelling to continue?

Thanks for looking at this - hope you can help.

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎07-07-2004 03:31 AM

You will need to let udp srcport=500 destport=500 through for IKE (Phase 1) to work. You may also need to allow the ESP protocol (protocol id is 51), if you do native IPSsec.

If you do NAT-T (ipsec over udp) you will need to allow udp destined for the 3005 unit on what ever port nat-t is configured to listed on, which I believe is port 4500 by default.

The 3005 can be configured to run IPSec over TCP, and there is a range of ports, that you can configure, as well as just one port. The default is port 10000 only.

The 3005 can be configured to do all three types of IPSec sessions, so you may want to leave all the options open. Mostly because the policy where the remote client may dicate one type (such as allowing ipsec over tcp only) to aid in NAT.

The 3005 can also be configured for PPTP - to do this you need to allow the control session inbound (I believe that it is tcp port 1743), as well as GRE in both directions between the 3005 and the remote client.

I hope this helps.

Customers Also Viewed These Support Documents