10-26-2010 01:32 PM - edited 03-21-2019 03:11 AM
The customer is not using the UC540 as their firewall and we need remote access to the system. The data vendor has a sonicwall firewall in place and we are plugged into it with our WAN port. We are using Cisco VPN client but getting denied access to the firewall because we are hitting several different ports everytime. What information are we forgetting to relay to the Data vendor on the correct configuration of his firewall to allow access to the UC540?
Mike Carter
AtcomBTS
10-26-2010 02:28 PM
Hi Mike,
I found a doc that may explain what to do.
https://supportforums.cisco.com/docs/DOC-9671
So in addition to the UC540 being a staic IP on the external firewall data vlan (with NAT rule from WAN to UC540), and the UC540 firewall turned off, and NAT turned off, and a VPN Server built on the UC540 with the credentials (Shared Secret and Group name) matching Cisco VPN CLient and UC540 VPN Server, I think the external FW has to let the IPSEC ports through too....
in the doc in a few scenarios I find this:
You need to ensure the following policies are applied to the firewall:
• If IPsec is used (for a multi-site data VPN and the Data LAN resides behind the UC500), make sure that the firewall allows
access to the following ports and protocols:
IP Protocol ID 50, for both inbound and outbound filters. It should be set to allow Encapsulating Security Protocol
(ESP) traffic to be forwarded.
UDP Port 500, for both inbound and outbound filters. It should be set to allow ISAKMP traffic to be forwarded.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide