12-08-2003 03:48 AM
I have Cisco vpn clients behind the PIX and i want them to connect to a vpn 3005 which i behind another PIX . Can anybody tell me which ports i have to open on both the PIX firewalls ?
12-08-2003 05:52 AM
Hi,
you have to permit esp and isakmp on pix. for example;
access-list acl-out permit esp host 99.99.99.2 host 99.99.99.12
access-list acl-out permit udp host 99.99.99.2 host 99.99.99.12 eq isakmp
for more information you can check this example;
hope this helps.
12-09-2003 03:50 AM
It depends on how you have deployed your VPN Remote Access users.
.
By default, if you enable IPSec-Over-TCP or IPSec-over-UDP, then port 10000 is used for both, these methods are Cisco Proprietary and can be changed.
.
If you use NAT-T (NAT Traversal), the Standards-based implementation, then it uses UDP-4500).
.
either way, the operation of the VPN depends on:
1) Whether these service have been enable on the VPN Concentrator
2) Enabling the relevant transport settings on the VPN Client connection Properties.
Regarding the PIX infront of the VPNC3005, you will need to allow these above ports inbound to your VPNC3005 Public interface.
Locally, it depends if you filter outbound connections through your PIX. If you don't, then the PIX will allow the connection for the VPN Client attempting to access the remote VPNC3005
12-10-2003 08:55 PM
1. esp
2. udp 50
3. udp 4500
12-12-2003 08:56 PM
thanks for your reply . Do i need to open port 500 also for ipsec ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide