Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
danielnunes
danielnunes
Community Member
‎11-22-2010 05:46 PM
‎11-22-2010 05:46 PM

ASA VPN Client and VPN L2L behind other ASA firewall

Hi Guys, I need to split my Firewall services as you can see on image attached, my actual Firewall keep connecting VPN Clent and L2L and my New ASA Firewall will gather all DMZs, but as you can see I need to open ports on  my new firewall to pass VPN client and L2L.

Wich ports do I need to open on my new Firewall to permit  VPN L2L and Clint connections?

thanks

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Jennifer Halim
Jennifer Halim Cisco Employee
Cisco Employee
‎11-23-2010 03:08 AM
‎11-23-2010 03:08 AM

Re: ASA VPN Client and VPN L2L behind other ASA firewall

TCP/1723 and GRE would be for PPTP VPN.

and UDP/1701 and GRE would be for L2TP VPN.

If you are running both PPTP and L2TP as well, then yes, you would need the above ports as well.

0 Helpful
Reply
3 REPLIES
Jennifer Halim
Jennifer Halim Cisco Employee
Cisco Employee
‎11-22-2010 06:39 PM
‎11-22-2010 06:39 PM

Re: ASA VPN Client and VPN L2L behind other ASA firewall

IPSec VPN works on a number of protocol/ports, and here are most common ones (unless you have change the NAT-T to different ports):

UDP/500

ESP (protocol)

UDP/4500

UDP/10000

TCP/10000

Hope that helps.

0 Helpful
Reply
danielnunes
danielnunes
Community Member
‎11-23-2010 02:58 AM
‎11-23-2010 02:58 AM

Re: ASA VPN Client and VPN L2L behind other ASA firewall

Jennifer,

thanks for your quickly response.

Will those ports work out fine for VPN-Client and VPN Site-to-Site?

I saw that there are TCP/1723 and TCP/1701, will necessary?

thanks

0 Helpful
Reply
Jennifer Halim
Jennifer Halim Cisco Employee
Cisco Employee
‎11-23-2010 03:08 AM
‎11-23-2010 03:08 AM

Re: ASA VPN Client and VPN L2L behind other ASA firewall

TCP/1723 and GRE would be for PPTP VPN.

and UDP/1701 and GRE would be for L2TP VPN.

If you are running both PPTP and L2TP as well, then yes, you would need the above ports as well.

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
241
Views
0
Helpful
3
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs