Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
5
Helpful
10
Replies

Port blocking on Cisco Concentrator 3000?

whiteford
Level 1
Level 1

‎11-02-2006 05:33 AM - edited ‎03-09-2019 04:45 PM

We have many LAN-to-LAN's and client VPN sessions, but wondered is there any way or port blocking or creating rules like a firewall on it? our Concentrators private port goes straight into our LAN and the public is straight to the Internet (no fireall in between). there must be away to lock this connections down a bit?

Labels:
0 Helpful
10 Replies 10

d-mark
Level 1
Level 1

‎11-02-2006 06:25 AM

Hi,

there is a way to do something like 'firewalling' on a Cisco Concentrator 3k. On the web-config gui go to "Configuration | Policy Management | Traffic Management". There you can create "Rules" ,if needed use "Network Lists" while/before doing that. Than group the different rules to the needed "Filter" and assign then to the physical interfaces.

HTH

Mark

0 Helpful

whiteford
Level 1
Level 1
In response to d-mark

‎11-02-2006 07:56 AM

Should the Cisco Concentrator go through a firewall really?

0 Helpful

d-mark
Level 1
Level 1
In response to whiteford

‎11-02-2006 11:09 PM

Do you mean if it is necessary to put a separate firewall device in front of the concentrator?

If so, that depends on your requirements. In some cases, eg. for troubleshooting, it could be helpful to have the possibility to take a look at the traffic in front of the concnetrator. But as mentioned above, the concentrator itself has the ability to do port filtering.

0 Helpful

whiteford
Level 1
Level 1
In response to d-mark

‎11-02-2006 11:47 PM

What is the best way to have the Concentrator located, should it work with a firewall or as you say just use the port blocking/filtering? If so how can I configure it so certain LAN-to-LAN's or client VPN have different open ports than others? As customers have different requirments on access needs?

0 Helpful

d-mark
Level 1
Level 1
In response to whiteford

‎11-03-2006 04:31 AM

If you run the concentrator behind a firewall you have to open the appropriate ports and protocols (like esp or upd 500). You should also thing about NAT if you use it, there could be problems due to this. But only using the filter capabilities of the concentrator would work fine to.

You can configure a filter to restrict the access for a L2L and apply it to the connection under "Configuration | Tunneling and Security | IPSec | LAN-to-LAN" to the point "Filter".

0 Helpful

whiteford
Level 1
Level 1
In response to d-mark

‎11-03-2006 05:10 AM

I wonder how others have theirs configured? using a firewall or not.

0 Helpful

d-mark
Level 1
Level 1
In response to whiteford

‎11-03-2006 08:10 AM

On the concentrators I know there are filters at least at the public interface. And in some cases there is also a firewall (router with acl) in front of the concentrator.

0 Helpful

dpatkins
Level 1
Level 1
In response to d-mark

‎03-05-2007 06:17 AM

I would like to ask a similar question. I have request to allow TCP/UDP ports 1100 and 1105 bidirectionally. Does this mean that I will need to create 4 seperate rules one each way for TCP and one each way for UDP and then assign them one filter?

Any help would be really appreciated. I tried to go through the L2L rule and it did not work.

Thanks

Dwane

0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee
In response to dpatkins

‎03-05-2007 06:31 AM

Hi Dwane,

You have to do it cautiously. If the source and destination ports are not correct the traffic will be blocked. You also need to identify if ports 1100 and 1105 are the destination for the inbound traffic or outbound traffic. Assuming that these are the destination ports for the inbound traffic then you need to do the following :

1. Create a rule with source IP and port as any. Destination IP would be the inside IP (you have to consider the NAT/PAT as well) and dest port would be TCP 1100.

2. Same for 1105.

3. Another rule with source IP as the inside IP and source post as TCP 1100 and destination IP and port as any.

4. Same for 1105.

Follow the above steps for UDP traffic. Assign these to a filter. It could either be the public filter or a specific filter for the LAN-LAN tunnel.

Please let me know if you need further information on this.

HTH,

Please rate if it helps,

Regards,

Kamal

dpatkins
Level 1
Level 1
In response to Kamal Malhotra

‎03-06-2007 08:27 PM

That is what I did. It took 8 rules to make the filter. I appreciate the help.

Dwane

0 Helpful
Customers Also Viewed These Support Documents