Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote VPN client connection fails due to source port filter

Hello...I have my VPN 3015 concentrator behind my PIX 515 firewall. The access-list on the outside interface of the firewall allows access to the concentrator via the recommended ports in the "Cisco VPN 3000 Concentrator Frequently Asked Questions" document. I recently encountered a problem with a remote client connecting to the firewall because the source port for the incoming ISAKMP packet was less than 500. This is the first of over 100 installations where I have encountered this problem. As a workaround, I edited the access-list to prevent filtering on the source port for the ISAKMP packet. The client is behind a firewall on the remote side so I am guessing their firewall is randomizing the source port to a value below 500. We are running IPSec over UDP.

Is it normal to experience this problem or could there be something wrong with the remote firewall? Are there particular types of firewalls that will impact our ability to filter on the source port?


Cisco Employee

Re: Remote VPN client connection fails due to source port filter

Difficult to say how particular types of firewalls do they're NAT/PAT'ing. I would say you're correct in assuming that this particular firewall is PAT'ing the source port to something under 500, which I guess is valid although not usual. The destination port should always remain at 500, so it would be safer to keep your ACL in place and only have it look at the destination port.