Re: MS VPN

wonderpug · ‎01-11-2011

Can someone tell me what will be the outbound/inbound traffic that i need to open for Microsoft's VPN? I have a client working in our network and she need to connect back to their computer via MS's VPN from her windows vpn client. Specifically, I need to allow this type of trafic in my ASA firewall.

Thanks

Federico Coto Fajardo · ‎01-11-2011

Hi,

If using Microsoft's PPTP it uses TCP 1723.

Then it uses GRE to encapsulate the traffic (IP protocol 47)

L2TP uses UDP 1701 but it normally uses IPsec as well.

IPsec uses ESP (IP protocol 50), UDP 500 for ISAKMP and UDP 4500 for NAT-T or TCP 10000 for IPsec/TCP.

Federico.

wonderpug · ‎01-11-2011

one more question, do I have to open both outbound/inbound traffic for these ports?

Federico Coto Fajardo · ‎01-11-2011

If the client is inside the ASA (server outside).... and assuming PPTP...

The VPN connection will be establishing using TCP 1723

Port 1723 will be the destination port.

The source port will be a random generated port.

Normally what you do is make sure that outgoing destination port TCP 1723 is permitted and also GRE.

Check out that you have PPTP inspection enabled on the ASA so the return traffic will be automatically permitted (just worry about outbound access).

policy-map global_policy

class inspection_default

inspect pptp

Federico.

wonderpug · ‎01-12-2011

Probably that make sense why there's no return traffic in my case. Actually my clients use both pptp and l2tp. I will try your method and let you know if that works out.

Thank you!