Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3966
Views
0
Helpful
3
Replies

PIX501 IPsec - How to change IPsec TCP or UDP port it listens on?

chariley
Level 1
Level 1

‎01-21-2003 01:04 PM - edited ‎02-21-2020 12:17 PM

My situation is that I have a PIX 501 at home that I want to set up a VPN between my office and home. However, the firewall at my office is blocking IPsec from being established (it is blocking the TCP and UDP ports of IPsec). I could ask our firewall administrator to open these ports up, but I would rather try the following as an exercise.

In my Cisco VPN client, there is an option to do IPsec over TCP, and to specifiy a TCP port over which to establish it. Here's the solution I would like to try if possible.

Configure my client to connect to TCP port 80 (which is permitted by the firewall at the office) on my 501 and establish the Ipsec VPN.

What are the commands I use to configure the 501 so that it listens for and establishes the IPsec session over TCP port 80, rather than its usual default ports? Does anyone have a sample configuration for accomplishing this?

TIA,

Charles

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎01-21-2003 07:59 PM

You can't change the ports the 501 (or any PIX model) uses for IPSec connections. The PIX is only going to use UDP 500 for ISAKMP and IP protocol 50 for IPSec if it is establishing (or accepting) the tunnel.

If you want to create a VPN connection from your PC to the office using the Cisco VPN client, then you can set that up to use TCP or UDP encapsulation, and the PIX will happily pass it through for you.

0 Helpful

chariley
Level 1
Level 1
In response to gfullage

‎01-23-2003 10:08 AM

The PIX at my office location does NOT allow me to pass UDP 500 traffic, so the VPN client never gets past ISAKMP negotiation. Merely changing it at the client does not help; it only changes the TCP port that the client will attempt to connect to on the remote firewall; the remote firewall is still using the standard port numbers for these two.

So, you are saying that I can change either the UDP port for ISAKMP or IPsec? Or is there any workarond to my problem?

I have heard that Cisco is making some changes to the PIX OS with version 6.3, and I think one of them is the ability to change ISAKMP and IPsec port numbers on the firewall...

0 Helpful

kagodfrey
Level 3
Level 3
In response to chariley

‎01-23-2003 02:10 PM

Hi

I'm afraid you are not going to have much luck establishing an IPSEC VPN tunnel using a client behind a firewall for the following reasons:

Any address translation performed on an IPSEC packet invalidates that packet so it will be disguarded. A way around this is to encapsulate the IPSEC packet in a TCP or UDP packet, so it is the encapsulation part that has the translation performed on it, rather than the IPSEC packet contained within. This is what happens when you click the IPSEC over TCP/UDP checkbox on your client. Unfortunately, Pix firewalls do not currently support IPSEC over TCP/UDP (the option is in the client because Cisco VPN concentrators do support this feature). However, I have also read that 6.3 will provide some sort of support for this feature - I believe it will have the capacity to terminate a single connection in this manner.

HTH

Kev

0 Helpful
Customers Also Viewed These Support Documents