Remote VPN client connection fails due to source port filter
Hello...I have my VPN 3015 concentrator behind my PIX 515 firewall. The access-list on the outside interface of the firewall allows access to the concentrator via the recommended ports in the "Cisco VPN 3000 Concentrator Frequently Asked Questions" document. I recently encountered a problem with a remote client connecting to the firewall because the source port for the incoming ISAKMP packet was less than 500. This is the first of over 100 installations where I have encountered this problem. As a workaround, I edited the access-list to prevent filtering on the source port for the ISAKMP packet. The client is behind a firewall on the remote side so I am guessing their firewall is randomizing the source port to a value below 500. We are running IPSec over UDP.
Is it normal to experience this problem or could there be something wrong with the remote firewall? Are there particular types of firewalls that will impact our ability to filter on the source port?
Re: Remote VPN client connection fails due to source port filter
Difficult to say how particular types of firewalls do they're NAT/PAT'ing. I would say you're correct in assuming that this particular firewall is PAT'ing the source port to something under 500, which I guess is valid although not usual. The destination port should always remain at 500, so it would be safer to keep your ACL in place and only have it look at the destination port.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...