Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC through the firewall

I have a consultant who is working in my office and wants to use his Win2000 VPN to get into his network(which is external to mine). What do I need to do to allow him to make an ipsec tunnel through my firewall? Thanks for the help.



Re: IPSEC through the firewall

Open port 500 UDP for ISAKMP and IP type 50 and 51 for ESP/AH traffic.

Community Member

Re: IPSEC through the firewall

Hiya -

For IPSec traffic, you need to permit UDP 500 and

IP protocols 50 and 51 (depending on whether you're

doing AH and/or ESP).

It wasn't clear from your message, but it may not

be okay to just allow a VPN into your network

from the outside, considering the fact that such

a tunnel would bypass any perimiter (e.g. firewall)

security enforcement that you might be doing...

Hope this helps


Community Member

Re: IPSEC through the firewall

I tried opening these ports, and it still didn't work. The consultant in my office is using the windows 2000 VPN. Are there any other ports that could possibly need to be opened? The VPN does work when I open all ip ports(specifiying both host numbers), so I know it works. I just need to figure out the right port to open. Thanks for all your help in advance.


Community Member

Re: IPSEC through the firewall

If it is a MS PPTP tunnel you will need TCP port 1723 and the gre protocol. (protocol 47)

Community Member

Re: IPSEC through the firewall

What is the GRE protocol? I have a similar situation where I need to connect a Windows 2000 client via PPTP who is behind a firewall to our VPN (Altiga/Cisco 3000 VPN box). We are unable to "verify user name and password" (gets stuck there) but can do a tracert to the external VPN ip address. The same user can connect from home via DSL with no firewall with no problem. Also, you mentioned opening TCP port 1723 at the clients firewall. Is that just outbound only? What would be the IOS command to do that? Many thanks!

CreatePlease to create content