×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Filter on Public-Interface for Cisco Concentrator 3000

Unanswered Question
Oct 23rd, 2003
User Badges:

Hello...

I have 2 question.

1.)

I'm wondering why i don't need a Filter for UDP 4001 if i'm connecting via IPSEC over UDP Port 4001. I only have the Default-Filter for NAT-T (UDP 4500). Can someone explain why this works?

2.)

I have problems to connect when a Firewall on the client-side is involved. The Firewall "says" fragmented packet dropped (UDP 500 from the concentrator), i have reduced the MTU to 1000 to see if this helps, but still the same problem...

This only happens when split tunnel is activ, if i tunnel everything then i have no problems (with split tunnel activ and no Firewall, also no problems).


Thanks for any informations...


best regards,

Walter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
engel Tue, 10/28/2003 - 01:23
User Badges:

1. I believe, the filter for IPSec over UDP (or IPSec over TCP) is invisible to the GUI. According to my experience it only kicks on when the VPN client begins the IKE connection (UDP/500) and if successfull, the filter for UDP/10000 (default port for IPSec over UDP) is applied to the Public Interface of VPN3000.


2. Regarding the client-side firewall, are you using CPP (Client Push Policy) or policy downloading from Integrity Server (ZoneLabs Firewall). Just a guess, that if your fragmented UDP/500 packets are dropped, you may have to add filter for passing UDP/500.


Regards,

Engel

wgutschner Wed, 10/29/2003 - 06:15
User Badges:

thanks for the infomation...

1.in the meantime i have found that the concentrator are creating a dynamic fiter for IPSec over UDP Connections.

2. The problem is that the Firewall droppes fragmented packet, for this Firewall (Sonicwall) i can create a rule to allow frag. Packets, but what's is with simple Firewalls, where i can't create rules. I wan't to avoid fragments, but how? The settings at the interface-configuration (fragmentation-policy) doesn't help. I'm wondering why do i have a fragmented packet only in split-tunnel mode? Whith tunnel everthing i have IKE Packets from 100 to 330 Bytes, und with split-tunnel on, i have one IKE Packet with 3140 Byte -> 3 Fragments ??

best regards,

Walter



Actions

This Discussion