Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
1
Replies

Remote VPN client connection fails due to source port filter

mayhem2022
Level 1
Level 1

‎04-09-2003 08:56 AM - edited ‎02-21-2020 12:28 PM

Hello...I have my VPN 3015 concentrator behind my PIX 515 firewall. The access-list on the outside interface of the firewall allows access to the concentrator via the recommended ports in the "Cisco VPN 3000 Concentrator Frequently Asked Questions" document. I recently encountered a problem with a remote client connecting to the firewall because the source port for the incoming ISAKMP packet was less than 500. This is the first of over 100 installations where I have encountered this problem. As a workaround, I edited the access-list to prevent filtering on the source port for the ISAKMP packet. The client is behind a firewall on the remote side so I am guessing their firewall is randomizing the source port to a value below 500. We are running IPSec over UDP.

Is it normal to experience this problem or could there be something wrong with the remote firewall? Are there particular types of firewalls that will impact our ability to filter on the source port?

Thanks...Bob

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎04-09-2003 09:26 PM

Difficult to say how particular types of firewalls do they're NAT/PAT'ing. I would say you're correct in assuming that this particular firewall is PAT'ing the source port to something under 500, which I guess is valid although not usual. The destination port should always remain at 500, so it would be safer to keep your ACL in place and only have it look at the destination port.

0 Helpful
Customers Also Viewed These Support Documents