Ports to open behind a firewall ?

pmarlier · ‎09-06-2002

Hello everyone,

I'm trying to use the Cisco VPN client 3.5.2 on a W98 behind a firewall. I want to use transparent tunnelling. If I've well understand, all the ESP and ISAKMP packets are encapsuled in TCP with port 10000 (per default). So I should only have to open this port on the firewall. I did that but it doesn't work.

Do I've to open UDP 500 and ESP also on the firewall ? And if yes why ?

Thanks a lot.

Regard, Phil

engel · ‎09-08-2002

We just tested this one. The IKE packets are still using port 500, it is not encapsulated to port 10000. The ESP packets are encapsulated to UDP port 10000. I see no ESP packets in between the client (v3.6) and the Concentrator (v3.5.3).

Kind Regards,

Engel

bhesk · ‎09-08-2002

I just tested this one too with VPN Client talking to VPN 3005.

Basically you seem to need the latest code running on both 3005 and client to get this working properly.

3.5 client seems to try talking on UDP port 500 and 62514 even if TCP translation is selected.

With 3.6 client then ONLY TCP port 10000 is used and needs to be opened on the firewall. I also ran 3.6 on the VPN 3005 too (not sure if this is required or not).

Note - I also had to disable IKE keepalives in the group configuration. With IKE keepalives enabled (default), the VPN connection would drop at random intervals if I hadn't been using it for a while).

Hope this helps. Regards, Barry

mark-neil · ‎09-10-2002

Hi Phil,

You'll need to open UDP port 500 for ISAKMP exchange, and will probably also need to open protocols 50 and 51 for ESP and AH, respectively, depending upon your configuration. In answer to your question, the ISAKMP exchange does not appear to be encapsulated in either TCP or UDP port 10000.

Also, due to recent security faults found with the VPN concentrator and clients, recommend you update to 3.6.1.

Regards,

Mark Neil