Cisco Support Community
Community Member

Another question on VPN through PIX from inside network

Hi there,

I recently wrote the forum about this topic awhile back and it was replied to with the answer that if tcp/udp encap was used on a VPN client from inside the firewall a VPN connection could probably be established. Well, we have a new customer trying to use VPN from within our network who is claiming they need the following ports open on our firewall in order for this it work.

UDP port 500 outbound and protocols 50 and 51 inbound. we also need UDP ports 41,000-43,000 inbound in case NAT traversal is needed.

From my understanding of the last answer, this opening of ports shouldn't be necessary particularly since we have no restrictions oubound and this is being established from inside our network. Is this correct? The problem we are seeing when we try to connect is that they get to their VPN server and obtain an IP address just fine. We couldn't ping anything on their internal network though and when I looked at stats on the NIC, we were seeing packets transmitted out but not in. I haven't been able to verify if they are using tcp/udp encap.

If I end up having to open up these ports, how great of a security risk is it?

Any information you can provide would be greatly appreciated!



Cisco Employee

Re: Another question on VPN through PIX from inside network

For outbound connections, the PIX only opens up "holes" for returning traffic for TCP and UDP based traffic. IPSec packets sit right on top of IP, they are NOT UDP/TCP packets, so for them to come back into the PIX from the outside you need to specifically allow them in with an access-list (similar to how you need to allow ICMP packets specifically, since these are also not TCP/UDP packets).

So, yes, if the client is inside you need to allow IP protocol 50 and 51 back inot the PIX with:

> access-list ### permit esp host host

> access-list ### permit ahp host host

Keep in ind that this assumes they're NOT using any sort of IPSec encapsulation. Because of this, these packets can't be PAT'd properly by the PIX since again, PAT is based on TCP/UDP port numbers of which there isn't any, so this internal VPN PC will need a one-to-one static in the PIX for it to work. That also assumes that the client and VPN concentrator don't support NAT-T, in which case just PAT'ing on the PIX should be OK.

As for ports 41000-43000 I have no idea. NAT Traversal (a standard) is supposed to use UDP port 4500, and since it's a UDP packet, the PIX will open a "hole" for it to come back in so you shouldn't need to open anything for this. These ports are probably vendor specific to whatever VPN equipment you're using, you'll need to investigate further before you open these up.

CreatePlease to create content