cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
4
Replies

VPN Concentrator Open ports

avilt
Level 3
Level 3

I am running port scan(Angry IP Scanner) against VPN concentrator. Sometimes it shows the port 21 as open. I have disabled ftp under "Management Protocols" Sometimes it shows port 389 & 1002 as open. Whats wrong with my VPN concentrator?

I have enabled only IPSEC under Tunneling Protocols.

When I run port scan what ports should be listed as open?

Thanks

1 Accepted Solution

Accepted Solutions

Hello avilt,

VCA stands for Virtual Cluster Agent. This is basically used when the VPN 3000 pair is configured for load balancing... when doing this the boxes talk to each other on VCA and we normally need to allow this on the filters ..

My question is, have u enabled this filter on the public interface ?? are u seeing the ports going through the VPN concentrator or are u doing a VA scan and seeing these ports (like FTP) open on the VPN concentrator?

Raj

View solution in original post

4 Replies 4

kaachary
Cisco Employee
Cisco Employee

Hi,

can you check the Interface Filter and the corresponding rules applied to it.

You might have a rule defined to allow the mentioned ports.

HTH,

-Kanishka

I have the following filters for the Public interface.

IPSEC-ESP In(forward/in)

IKE(forward/in/out)

ICMP(forward/in/out)

VRRP(forward/in/out)

NAT-T(forward/in/out)

VCA(forward/in/out)

Whats this VCA filter used for?

Hello avilt,

VCA stands for Virtual Cluster Agent. This is basically used when the VPN 3000 pair is configured for load balancing... when doing this the boxes talk to each other on VCA and we normally need to allow this on the filters ..

My question is, have u enabled this filter on the public interface ?? are u seeing the ports going through the VPN concentrator or are u doing a VA scan and seeing these ports (like FTP) open on the VPN concentrator?

Raj

Thank You. Something is wrong on my scanning PC. It shows ports 389 and 1002 as open for every IP address even for hosts which are not alive.