Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
4
Helpful
6
Replies

Anyconnect Ikev2 VPN and NAT possible port conflict

Go to solution
Lee Dress
Level 1
Level 1

‎05-17-2024 08:04 AM

I'm looking to enable Ikev2 for anyconnect and disable SSL.

My concern is on the change log when I go to deploy it, the IPsec Proposal says port 443.

We nat Port 443 down to out on site exchange server for hybrid email.

Our SSL vpn has been redirected to another port to prevent any conflict.  I'm just concerned that this will interfere with the hybrid exchange environment.  does anyone know if this will be an issue?  we'd like to get off of SSL vpn just because of the brute force stuff that's been going on.

 

Labels:
Preview file
64 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-17-2024 08:41 AM

@Lee Dress

thats Client Services port which is used to download secure client/anyconnect updates, profiles and other settings. You can specify a different port or disable (if you do that the clients will not receive updates).

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎05-17-2024 08:38 AM

Need to check this point' but the ipsec anyconnect use http to download the xml and image it use.

If you can add xml manually to pc and disable auto-update that maybe solve issue

MHM

Go to solution
Lee Dress
Level 1
Level 1
In response to MHM Cisco World

‎05-17-2024 08:51 AM

I manually changed the xml on the client I'm testing with to try the IPSec.

I added a second server as "VPN-IPsec" and made the Primary Protocol IPsec, so I think the client side is fine. I was concerned about the port 443 on the Firewall side.

 

Go to solution
Rob Ingram
VIP
VIP

‎05-17-2024 08:41 AM

@Lee Dress

thats Client Services port which is used to download secure client/anyconnect updates, profiles and other settings. You can specify a different port or disable (if you do that the clients will not receive updates).

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html

 

0 Helpful

Go to solution
Lee Dress
Level 1
Level 1
In response to Rob Ingram

‎05-17-2024 08:48 AM

We use "Device Insights" for updates, so I should be able to disable this.  I'll give it a shot and see how it goes.

 

 

0 Helpful

Go to solution
Lee Dress
Level 1
Level 1

‎05-17-2024 08:57 AM

Thank you both.  this works. 

I can now move my Anyconnect users to Ikev2 and disable SSL,  I changed the port number in Client services to 9443, then disabled it just so I wouldn't be concerned about it.

 

 

Go to solution
MHM Cisco World
VIP
VIP
In response to Lee Dress

‎05-17-2024 09:26 AM

You are welcome 

MHM

0 Helpful
Customers Also Viewed These Support Documents