Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
2
Replies

VPN to outside source

tmishler04
Level 1
Level 1

‎05-22-2012 04:54 AM

We have some clients that need to connect to their parent company using a VPN tunnel from our lan to their lan.  Currently when the try to connect they are disconnected.

All of our clients are directed to go out through our proxy server which then travels through our pix firewall.

Currently when they try to connect they are getting a time out error.

I have the following ports open via access rules to the ip address of the server that they connect to.

IPSec, L2TP and PPTP  which requires ports 500, 1701, and 1723 

I can create an exception to not have them go through our proxy but, this did not make a difference.

Can anyone give me a clue as to what I am missing here?  I want to make sure that our security does not become an issue but at the same time I need to make sure we are secure.

Thank you in advance for your suggestions and assistance.

Sincerely,

TJ

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-22-2012 05:17 AM

For IPSec, here are the standard ports: UDP/500, UDP/4500, ESP protocol, and also configure "inspect ipsec-pass-thru" on your global policy:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1740887

For L2TP, here are the standard ports: TCP/1701, GRE protocol

For PPTP, here are the standard ports: TCP/1723, GRE protocol, and also configure "inspect pptp" on your global policy:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

For IPSec, if the IPSec server does not enable NAT-T, you will need to configure static 1:1 to allow ESP to go through.

Hope that helps.

0 Helpful

tmishler04
Level 1
Level 1
In response to Jennifer Halim

‎05-22-2012 05:35 AM

Ok. I will give this a try.  I thought since the vpn was hosted else where, that I could just allow access through the normal acl's.

I appreciate the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents