02-27-2005 12:35 AM
I'm using the Cisco VPN soft client behind a Cisco router running CBAC. What ports need to be open to allow the VPN client to operate correctly?
I'm currently using:
permit esp any any
permit udp any any eq isakmp
Solved! Go to Solution.
02-28-2005 10:51 AM
These are required, but you may also need to open up UDP 10000 to support NAT-T if the IPSec has to cross a NAT boundary along its path.
You will also need to allow the VPN client pool address range access to which ever IP ranges they are to use. This is due to the packets passing via the ACL twice, once encrypted using ESP and ISAKMP, then again unencrypted.
So if the VPN client has a pool range of say 10.1.1.0/24 and its to contact only the 10.2.0.0/16 subnet the acl would look like:
ip access-group extended VPNACCESS
permit esp any any
permit udp any any eq isakmp
permit IP 10.1.1.0 0.0.0.255 10.2.0.0 0.0.255.255
Andy
02-28-2005 10:51 AM
These are required, but you may also need to open up UDP 10000 to support NAT-T if the IPSec has to cross a NAT boundary along its path.
You will also need to allow the VPN client pool address range access to which ever IP ranges they are to use. This is due to the packets passing via the ACL twice, once encrypted using ESP and ISAKMP, then again unencrypted.
So if the VPN client has a pool range of say 10.1.1.0/24 and its to contact only the 10.2.0.0/16 subnet the acl would look like:
ip access-group extended VPNACCESS
permit esp any any
permit udp any any eq isakmp
permit IP 10.1.1.0 0.0.0.255 10.2.0.0 0.0.255.255
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide