CIsco Anyconnect install on 2900 ISR...Ports needed to open to allow anyconnect

dan hale · ‎04-17-2017

Hi All, I just installed Anyconnect on a Cisco 2911 that has the ipbase, securityk9, and UCK9 license with IOS 15.2

When I tested it from outside the ISP network it would not connect. I then took off my ACL's comming inbound on the outside interface facing the ISP and it worked.

Are there ports that I need to open from the internet for anyconnect....I have done this on the ASA platform but, I dont recall having to allow ports from the internet in....seems like a bad idea?

I'm using CBAC on the firewall...below is the port configuration and the outside to inside ACL's

interface GigabitEthernet0/0
description Outside
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip access-group in-outside in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex full
speed 1000
crypto map XXXXXXXX

ip access-list extended in-outside
permit icmp any any echo-reply log
permit icmp any any time-exceeded log
permit icmp any any unreachable log
permit udp host XXXXXXXXX any eq isakmp
permit udp host XXXXXXXXX any eq non500-isakmp
permit esp host XXXXXXXXX any
permit ahp host XXXXXXXXX any
permit tcp any any eq 22
permit udp any any eq 22
permit udp host XXXXXXXXX any eq ntp
permit udp host XXXXXXXXX any eq ntp

Thanks,

Dan

Marvin Rhoads · ‎04-17-2017

AnyConnect is most often used for SSL remote access VPN and thus requires tcp/443 inbound by default. You change change the default port but it's still SSL/TLS protocol-wise. (It can be used for IKEv2 IPsec but that is much less common.)

Your ACL has all the ports required for IPsec (IKEv1 or IKEv2) plus ssh and ntp.