Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

inside - outside VPN Client


I need to allow my clients behind a pix to open VPN tunnel to the outside throught PIX.

What ports should i open ? on the firewall



Re: inside - outside VPN Client

You need UDP port for ISAKMP and UDP port 4500 for nat traversal



Re: inside - outside VPN Client

sysopt connection permit-ipsec command should do the trick. This will allow ipsec protocol to pass through without checking the ACL's etc.

Cisco Employee

Re: inside - outside VPN Client


The answer is: it depends upon how your VPN Client is configured.

(1) You will need to allow Internet Key Exchange (IKE) to occur, which uses UDP port 500. You will also see the term ISAKMP (Internet Security Association and Key Management Protocol) which refers to the protocol that allows IKE to occur.

(2) You will need to allow IPSec traffic:

Option (a): Allow native IPSec traffic (un-encapsulated). This will typically be IP protocol numbers 50, for ESP (Encapsulated Security Payload). Very rarely an organization will use IP protocol number 51 for AH (Authenticated Header). In general, if AH is being used then data is not being encrypted.

Option (b): IPSec over UDP: Tunneling IPSec traffic over UDP port numbers. Historically, the Cisco VPN default for IPSec over UDP is UDP port number 10000.

Option (c): IPSec over TCP: Tunneling IPSec traffic over TCP port numbers. Historically, the Cisco VPN default for IPSec over TCP is TCP port number 10000.

Option (d): IPSec over UDP (Standard-based): Relatively new (several years old now) is NAT-T (Network Address Translation - Traversal) uses UDP port 4500 to negotiate IPSec.

Assumption: I assumed from your question that you do not allow inside devices unrestricted access to the Internet.

Recommendation: Allow Options (a) and (d) -- insure that the VPN clients are configured to support NAT-T. NAT-T should detect if IPSec encapsulation over UDP is needed, if not then it will run native IPSec in order to avoid the unnecessary overhead of encapsulation.

Common misconfiguration: It is very common for firewall rules to allow more ports for VPN access than what is truly required. Most often the IP protocol number 51 (for AH) is a misconfiguration and should be removed.

Commonly deployed Cisco Firewall feature: An easy way 'out' is to deploy the 'sysopt connection permit-ipsec' feature. This allows UDP port 500, and IP protocol numbers 50 and 51. This permits IPSec traffic to pass through the Cisco firewall without a check of access-list command statements. If you are running PIX/ASA code 7.1(1) or later then the command is 'sysopt connection permit-vpn'.

Best Regards,

Troy McCarty

P.S.: Many companies allow unrestricted access from the inside of their networks to the outside. The IKE (isakmp) exchanges create two uni-directional tunnels. IKE sets up a single IPSec bi-directional tunnel. The point being that you may need to allow UDP 500 in from the outside.

CreatePlease to create content