02-26-2014 08:08 AM - edited 02-21-2020 07:31 PM
Hi Everyone,
I need to open port on edge Router to allow anyconnect connection coming from outside.
need to confirm if i need to open tcp port 443 only on router?
or do i need to open udp port 443 also?
Regards
MAhesh
Solved! Go to Solution.
02-26-2014 08:36 AM
Mahesh
By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it). There is not a standard port for DTLS but I believe that there is an option on the ASA to configure a port for it to use and you would want that UDP port open also.
HTH
Rick
02-26-2014 09:51 AM
Mahesh
This example show configuring DTLS for AnyConnect and it does use port 443. But it is possible to specify a different port. So basically the ports you need to open will reflect choices that you make in configuring AnyConnect.
And let me also make the point that DTLS is not a requirement. It is an optional feature (and in my opinion very beneficial). So you may enable it or you may not enable it - AnyConnect will still run.
HTH
Rick
02-26-2014 09:52 AM
Rick,
Just FYI
https://tools.ietf.org/html/rfc6347
https://tools.ietf.org/html/rfc4347
Now if people add some secret sauce in there, is another topic ;-)
M.
02-26-2014 02:36 PM
Mahesh, to establish a remote access SSL VPN to your ASA, yes TCP 443 will suffice throught the router. When you enable the certificate and webvpn on the outside interface as part of the VPN setup that tells the ASA to listen for the incoming SSL - so you don't technically "open" 443 on the ASA.
Your VPN setup should have something similar to the following commands which accomplish what I'm talking about:
ssl trust-point ASDM_TrustPoint0 Outside
webvpn
enable Outside
If you're configuring an IPsec remote access VPN (legacy client with IKEv1 or AnyConnect with IKEv2) then some other protocols need to pass - most notably IP Protocol 50 for ISAKMP to work.
03-06-2014 10:40 AM
Mahesh
I have reviewed the RFCs that define DTLS and they do not say anything about any particular port number for DTLS. But this FAQ for AnyConnect does seem to indicate that it does use UDP 443.
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/107391-anyconnect-faqs.html
HTH
Rick
02-26-2014 08:36 AM
Mahesh
By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it). There is not a standard port for DTLS but I believe that there is an option on the ASA to configure a port for it to use and you would want that UDP port open also.
HTH
Rick
02-26-2014 09:14 AM
Hi Rick,
I need to open port tcp 443 on ASA and our Edge Router.
So i need to open port UDP 443 on both ASA and Router?
Regards
MAhesh
02-26-2014 09:51 AM
Mahesh
This example show configuring DTLS for AnyConnect and it does use port 443. But it is possible to specify a different port. So basically the ports you need to open will reflect choices that you make in configuring AnyConnect.
And let me also make the point that DTLS is not a requirement. It is an optional feature (and in my opinion very beneficial). So you may enable it or you may not enable it - AnyConnect will still run.
HTH
Rick
03-06-2014 09:36 AM
Hi Rick,
I configured ASA and Router to allow only port TCP 443 for anyconnect.
Now any connect works fine.
Config on ASA
webvpn
svc dtls enable
When user connects i see below
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
So seems it is also using UDP also.
Does DTLS using also port 443?
Regards
MAhesh
Message was edited by: mahesh parmar
02-26-2014 02:36 PM
Mahesh, to establish a remote access SSL VPN to your ASA, yes TCP 443 will suffice throught the router. When you enable the certificate and webvpn on the outside interface as part of the VPN setup that tells the ASA to listen for the incoming SSL - so you don't technically "open" 443 on the ASA.
Your VPN setup should have something similar to the following commands which accomplish what I'm talking about:
ssl trust-point ASDM_TrustPoint0 Outside
webvpn
enable Outside
If you're configuring an IPsec remote access VPN (legacy client with IKEv1 or AnyConnect with IKEv2) then some other protocols need to pass - most notably IP Protocol 50 for ISAKMP to work.
02-26-2014 09:52 AM
Rick,
Just FYI
https://tools.ietf.org/html/rfc6347
https://tools.ietf.org/html/rfc4347
Now if people add some secret sauce in there, is another topic ;-)
M.
03-06-2014 09:31 AM
Hi Everyone,
I configured ASA and Router to allow only port TCP 443 for anyconnect.
Now any connect works fine.
Config on ASA
webvpn
svc dtls enable
When user connects i see below
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
So seems it is also using UDP also.
Does DTLS using also port 443?
Regards
MAhesh
Message was edited by: mahesh parmar