Solved: Re: IPSec VPN Ports/Protocol

Muhammad Zubair · ‎11-27-2008

I want to fine tune our firewall, for that I need to allow IPSec VPN traffic in firewall. Can anyone tell me the exact IPSec Ports & Protocols? Our VPN device resides behind firewall and using IPSec over UDP.

We are using Cisco ASA 5500 series as a VPN server.

ajagadee · ‎11-27-2008

Hi,

ISAKMP - UDP 500

ESP - Protocol 50

ISAKMP NAT-Traversal - UDP 4500 (NAT-T)

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)

Regards,

Arul

*Pls rate if it helps*

View solution in original post

Fernando_Meza · ‎11-27-2008

Hi,

For that you might need to allow UDP 500 also you might also need to allow ESP (protocol 50)

Assuming your VPN head end device uses a routable (public) IP address then you only need to allow the above ports, otherwise you will have to use static NAT.

what is your scenario ?

ajagadee · ‎11-27-2008

Hi,

ISAKMP - UDP 500

ESP - Protocol 50

ISAKMP NAT-Traversal - UDP 4500 (NAT-T)

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)

Regards,

Arul

*Pls rate if it helps*

jzhan · ‎06-07-2009

Hi,

I have been search for this for a quite long time, but never got a firm answer.

Cisco VPN client on-line help says: IPSec over UDP - this port is negotiated and can not be changed - but never able to find any mention of how it is negotiated.

Looking at Sniffer packets - beside UDP 500, Sometimes UPD 62515, and other time UDP 62514 was used. UDP 10000 was never used.

Thanks