- Ports for Clientless VPN on Cisco VPN 3000 Series
- Posted by Doug Fox on September 9th, 2005
Which ports should I open on the firewall allowing "Site to Site" and
"Client to Site" IP Sec VPNs as well as Clientless VPNs?
By the way, can this Cisco VPN be placed in the DMZ or behind the firewall
on the internal network?
Any info/pointers are much appreciated.
Thanks,
- Posted by Imhotep on September 9th, 2005
Doug Fox wrote:
What configuration are you using? Are you doing NAT Transversal (NAT-T)? Are
you using ESP or AH?
If you are using VPN for clients I would suggest using NAT-T...The reason is
that a lot of home users use NAT/PAT which can cause problems for ESP.
Which is why NAT-T was invented....
I have not used clientless VPN with Cisco yet. Usually, but not always, they
use the secure web ports 443...
I hope that helps. Please reply back with your specific configuration
requirements...
Imhotep
- Posted by Imhotep on September 9th, 2005
Imhotep wrote:
Ah, I almost forgot.
VPN (non NAT-T) uses either ESP or AH. These ARE NOT TCP/UDP ports but IP
protocol numbers:
ESP IP protocol type 50
AH IP protocol type 51
Either choice will use isakmp on port 500 udp
NAT-T is different let me know if you are using it and I will explain it as
I understand it...basically it encapsulates either ESP or AH packets and
sends them over a UDP port (most people use UDP 10000)
Im
