Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec vpn ports?

Hi,

I will make a site to site vpn betweeen two asa firewalls. But I have a adsl modem in front of the firewall so I need to make nat for these ports which are used by vpn. so what are these ports ? which ports should I make nat for vpn ?

thanks

3 REPLIES
Cisco Employee

Re: ipsec vpn ports?

For IPSec VPN, the following ports are to be used:

Phase 1: UDP/500

Phase 2: UDP/4500

You would also need to enable NAT-T on your ASA (command: crypto isakmp nat-traversal 20):

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067

That would encapsulate ESP (phase 2) to UDP/4500 so it can be NATed.

Re: ipsec vpn ports?

It also advisable to open protocol 50 - ESP aswell.

HTH>

New Member

Re: ipsec vpn ports?

Most likely not possible on an ASDL modem and since he is doing NAT the solution would be as stated above to use NAT-T. Therefore pushing phase 2 up to udp/4500.

5935
Views
0
Helpful
3
Replies