Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ipsec over tcp - required ports

Hi,

If I want to use ipsec over tcp do I need to open any ports on my firewall other than the tcp port, for instance 10000?

What I am trying to find out is if I also need ISAKMP, ESP etc..

Thanks

2 REPLIES
New Member

Re: ipsec over tcp - required ports

Hi,

I think you have to allow ISAKMP & ESP

permit udp X.X.X.0 0.0.0.X any eq isakmp

permit esp X.X.X.0 0.0.0.X any

Gold

Re: ipsec over tcp - required ports

you still need udp/500...

the whole point of using tcp/10000 is that you can't use esp in this situation.

"IPsec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates both the ISAKMP and IPsec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default."

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html#wp1059912

345
Views
5
Helpful
2
Replies
CreatePlease to create content