cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31263
Views
0
Helpful
3
Replies

ipsec vpn ports?

blackswans
Level 1
Level 1

Hi,

I will make a site to site vpn betweeen two asa firewalls. But I have a adsl modem in front of the firewall so I need to make nat for these ports which are used by vpn. so what are these ports ? which ports should I make nat for vpn ?

thanks

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

For IPSec VPN, the following ports are to be used:

Phase 1: UDP/500

Phase 2: UDP/4500

You would also need to enable NAT-T on your ASA (command: crypto isakmp nat-traversal 20):

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067

That would encapsulate ESP (phase 2) to UDP/4500 so it can be NATed.

It also advisable to open protocol 50 - ESP aswell.

HTH>

Most likely not possible on an ASDL modem and since he is doing NAT the solution would be as stated above to use NAT-T. Therefore pushing phase 2 up to udp/4500.