Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
1
Replies

VPN client issues

brandon.vogel
Level 1
Level 1

‎03-13-2003 12:40 PM - edited ‎02-21-2020 12:24 PM

I've got a small network with a Cisco 2610 router at our Internet connection point (T-1) configured with the IOS Firewall software. I am using simple access lists to allow outside traffic in as well as inside traffic out. I deny all outside traffic (incoming on serial port list) except the www, smtp, &tc. that's necessary.

The issue I have is when it comes to software VPN clients that are on some of our workstations for customer support. We're using SonicWall VPN client, Nortel Contivity VPN client, and the Microsoft PPTP client.

I know I have to add entries to the incoming serial list for the Nortel and SonicWall clients in order to get traffic through. Does anyone have links or info as to what exact protocols and ports are needed?

I know this is a simple question, but I'm rather new at delving into access lists like this and want to get it right. Thanks in advance.

Labels:
0 Helpful
1 Reply 1

ndoshi
Cisco Employee
Cisco Employee

‎03-14-2003 03:58 PM

If you want to allow IPSEC :

IKE uses UDP port 500. The IPSec ESP and AH protocols use protocol numbers 50 and 51. Ensure that your access lists are configured so that protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by IPSec. In some cases you might need to add a statement to your access lists to explicitly permit this traffic.

Allow AH = IP protoocol ID 51 (0x33)

Allow ESP = IP protocol ID 50 (0x32)

If you want to allow PPTP tunnel is allow tcp port 1723

IPSEC:

access-list 111 permit tcp host y.y.y.y host x.x.x.x eq 50

access-list 111 permit tcp host y.y.y.y host x.x.x.x eq 51

access-list 111 permit udp host y.y.y.y host x.x.x.x eq 500

Other example

access-list 101 permit udp host 2.2.2.2 host 1.1.1.1 eq 500

access-list 101 permit esp host 2.2.2.2 host 1.1.1.1

other example

access-list 110 permit 50 any any

access-list 110 permit 51 any any

access-list 110 permit udp any eq 500 any eq 500

!

OR

!

access-list 110 permit esp any any

access-list 110 permit ahp any any

access-list 110 permit udp any eq 500 any eq 500

PPTP :

access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 eq 1723

access-list 101 permit gre host 2.2.2.2 host 1.1.1.1

Q. What ports should I open on a firewall in order to accommodate PPTP tunnels?

A. The ports you should open are:

TCP/1723

TCP/139

UDP/Netbios-NS

UDP/Netbios-DGM

IP/47 GRE

http://www.cisco.com/warp/public/471/pptp_faq.html

http://www.iss.net/security_center/advice/Exploits/Ports/

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/ipsec.htm

0 Helpful
Customers Also Viewed These Support Documents