Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
7
Replies

IPSEC over TCP & SSL VPN

steveg
Level 1
Level 1

‎06-17-2008 07:38 AM - edited ‎02-21-2020 03:46 PM

We have a pair of ASA5550's running 8.0(3) that are configured for ipsec-over-tcp on port 443. I'd like to enable and test ssl vpn (Anyconnect) functionality on the same ASAs - do I have to use a different port for the ssl vpns or can both services coexist on the same port?

Labels:
0 Helpful
7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

‎06-17-2008 07:48 AM

Both services can coexist on outside interface as it is also part of SSL clienless vpn.

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

michael.leblanc
Level 4
Level 4

‎06-17-2008 08:00 AM

I think that would be analogous to expecting an FTP server to be able to share the same port number with a Web server.

One process, one port.

Use a separate port.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to michael.leblanc

‎06-17-2008 08:31 AM

Michael, we are not talking about FTP, it is simply understanding Annyconnect and WebVPN, both are SSL based .

here are couple of links for reference, if I was not sure I would have not answered to the thread, I run both Anyconnect and WebVPN.

Anyconnect

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#req

Webvpn

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to JORGE RODRIGUEZ

‎06-17-2008 09:06 AM

The guy is talking about "ipsec-over-tcp on port 443. " Please read the initial question carefully. This will require different ports AFAIK.

Regards

Farrukh

0 Helpful

michael.leblanc
Level 4
Level 4
In response to JORGE RODRIGUEZ

‎06-17-2008 09:40 AM

Jorge:

You mis-understood my reply.

I was providing an "analogy", that you can't expect two different processes to share the same TCP port number.

He was indicating that he was encapsulating his existing IPSec tunnels within TCP (port 443), and was wondering whether he could "also" terminate SSL VPN tunnels on the same TCP port of the endpoint.

I was suggesting that he needs to terminate these two different processes on different TCP port numbers.

I read his post carefully, did you read mine carefully?

Another thought: He did not say his pre-existing IPsec tunnels were web-based. He may have chosen port 443 so that his VPN clients could get through a port commonly open on most firewalls.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to michael.leblanc

‎06-17-2008 10:26 AM

Michael, take my apologies, indeed I did not read the Ipsec/TCP portion, misunderstanding on my part thus treated the answer on a different perspective. Your approach is logical.

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

michael.leblanc
Level 4
Level 4
In response to JORGE RODRIGUEZ

‎06-17-2008 10:56 AM

Jorge:

Thank you for the gracious response.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents