Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12205
Views
0
Helpful
3
Replies

How to change port number of ISAKMP?

Go to solution
SupIceCat
Level 1
Level 1

‎01-10-2011 11:16 PM

The default port number for ISAKMP is 500, how do I change it?

The platform is Cisco 1841 with IOS v12.4

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-10-2011 11:49 PM

You won't be able to change only phase 1 (ISAKMP) port as the default  is UDP/500. What is the reason to change it to other ports?

You  can however encapsulate phase 2 (IPSEC) ESP packet in either UDP or TCP  protocols to avoid the issue with ESP packet going through NAT device.  This is called IPSec NAT Transparency. Phase 2 is by default  encapsulated to UDP/4500 if the ESP packet passes through NAT device, or  you can also encapsulate it to TCP or UDP on other ports.

If you use TCP as protocol for phase 2, then phase 1 will uses TCP as well on the same port configured.

If you encapsulate with UDP for phase 2, then phase 1 will continue to use UDP/500.

Hope that makes sense.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-10-2011 11:49 PM

You won't be able to change only phase 1 (ISAKMP) port as the default  is UDP/500. What is the reason to change it to other ports?

You  can however encapsulate phase 2 (IPSEC) ESP packet in either UDP or TCP  protocols to avoid the issue with ESP packet going through NAT device.  This is called IPSec NAT Transparency. Phase 2 is by default  encapsulated to UDP/4500 if the ESP packet passes through NAT device, or  you can also encapsulate it to TCP or UDP on other ports.

If you use TCP as protocol for phase 2, then phase 1 will uses TCP as well on the same port configured.

If you encapsulate with UDP for phase 2, then phase 1 will continue to use UDP/500.

Hope that makes sense.

0 Helpful

Go to solution
SupIceCat
Level 1
Level 1
In response to Jennifer Halim

‎01-11-2011 12:00 AM

Thanks for your answer. The router is under a special network environment that must use ports other than 500.

Could you please give me some commands example of this port-changing configuration? I do not know where to start with.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to SupIceCat

‎01-11-2011 12:24 AM

Just double check, and I couldn't seem to find any reference to be able to change the port for IOS router.

You can definitely change the IPSec encapsulation port for ASA firewall, but I can't seem to find anything about changing ports on IOS router.

You might want to open a TAC case to double confirm.

0 Helpful
Customers Also Viewed These Support Documents