cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
87310
Views
5
Helpful
9
Replies

tcp port 443 for anyconnect

mahesh18
Level 6
Level 6

Hi Everyone,

I need to open port on edge Router to allow anyconnect connection coming from outside.

need to confirm if i need to open tcp port 443 only on router?

or do i need to open udp port 443 also?

Regards

MAhesh

5 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Mahesh

By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it). There is not a standard port for DTLS but I believe that there is an option on the ASA to configure a port for it to use and you would want that UDP port open also.

HTH

Rick

HTH

Rick

View solution in original post

Mahesh

This example show configuring DTLS for AnyConnect and it does use port 443. But it is possible to specify a different port. So basically the ports you need to open will reflect choices that you make in configuring AnyConnect.

And let me also make the point that DTLS is not a requirement. It is an optional feature (and in my opinion very beneficial). So you may enable it or you may not enable it - AnyConnect will still run.

HTH

Rick

HTH

Rick

View solution in original post

Rick,

Just FYI

https://tools.ietf.org/html/rfc6347

https://tools.ietf.org/html/rfc4347

Now if people add some secret sauce in there, is another topic ;-)

M.

View solution in original post

Mahesh, to establish a remote access SSL VPN to your ASA, yes TCP 443 will suffice throught the router. When you enable the certificate and webvpn on the outside interface as part of the VPN setup that tells the ASA to listen for the incoming SSL - so you don't technically "open" 443 on the ASA.

Your VPN setup should have something similar  to the following commands which accomplish what I'm talking about:

ssl trust-point ASDM_TrustPoint0 Outside

webvpn

enable Outside

If you're configuring an IPsec remote access VPN (legacy client with IKEv1 or AnyConnect with IKEv2) then some other protocols need to pass - most notably IP Protocol 50 for ISAKMP to work.

View solution in original post

Mahesh

I have reviewed the RFCs that define DTLS and they do not say anything about any particular port number for DTLS. But this FAQ for AnyConnect does seem to indicate that it does use UDP 443.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/107391-anyconnect-faqs.html

HTH

Rick

HTH

Rick

View solution in original post

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

Mahesh

By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it). There is not a standard port for DTLS but I believe that there is an option on the ASA to configure a port for it to use and you would want that UDP port open also.

HTH

Rick

HTH

Rick

Hi Rick,

I need to open port tcp 443 on ASA and our Edge Router.

So i need to open port UDP 443 on both ASA and Router?

Regards

MAhesh

Mahesh

This example show configuring DTLS for AnyConnect and it does use port 443. But it is possible to specify a different port. So basically the ports you need to open will reflect choices that you make in configuring AnyConnect.

And let me also make the point that DTLS is not a requirement. It is an optional feature (and in my opinion very beneficial). So you may enable it or you may not enable it - AnyConnect will still run.

HTH

Rick

HTH

Rick

Hi Rick,

I configured ASA and Router to allow only port TCP 443 for anyconnect.

Now any connect works fine.

Config on ASA

webvpn

svc dtls enable

When user connects i see below

Protocol : Clientless SSL-Tunnel DTLS-Tunnel

So seems it is also using UDP also.

Does DTLS using also port 443?

Regards

MAhesh

Message was edited by: mahesh parmar

Mahesh, to establish a remote access SSL VPN to your ASA, yes TCP 443 will suffice throught the router. When you enable the certificate and webvpn on the outside interface as part of the VPN setup that tells the ASA to listen for the incoming SSL - so you don't technically "open" 443 on the ASA.

Your VPN setup should have something similar  to the following commands which accomplish what I'm talking about:

ssl trust-point ASDM_TrustPoint0 Outside

webvpn

enable Outside

If you're configuring an IPsec remote access VPN (legacy client with IKEv1 or AnyConnect with IKEv2) then some other protocols need to pass - most notably IP Protocol 50 for ISAKMP to work.

Rick,

Just FYI

https://tools.ietf.org/html/rfc6347

https://tools.ietf.org/html/rfc4347

Now if people add some secret sauce in there, is another topic ;-)

M.

Hi Everyone,

I configured ASA and Router to allow only port TCP 443 for anyconnect.

Now any connect works fine.

Config on ASA

webvpn

svc dtls enable

      

When user connects i see below

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

So seems it is also using UDP also.

Does DTLS using also port 443?

Regards

MAhesh

Message was edited by: mahesh parmar

Mahesh

I have reviewed the RFCs that define DTLS and they do not say anything about any particular port number for DTLS. But this FAQ for AnyConnect does seem to indicate that it does use UDP 443.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/107391-anyconnect-faqs.html

HTH

Rick

HTH

Rick

Thanks Rick for looking this up.

Regards

Mahesh