Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

tcp port 443 for anyconnect

Hi Everyone,

I need to open port on edge Router to allow anyconnect connection coming from outside.

need to confirm if i need to open tcp port 443 only on router?

or do i need to open udp port 443 also?

Regards

MAhesh

5 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Gold

tcp port 443 for anyconnect

Mahesh

By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it). There is not a standard port for DTLS but I believe that there is an option on the ASA to configure a port for it to use and you would want that UDP port open also.

HTH

Rick

Hall of Fame Super Gold

tcp port 443 for anyconnect

Mahesh

This example show configuring DTLS for AnyConnect and it does use port 443. But it is possible to specify a different port. So basically the ports you need to open will reflect choices that you make in configuring AnyConnect.

And let me also make the point that DTLS is not a requirement. It is an optional feature (and in my opinion very beneficial). So you may enable it or you may not enable it - AnyConnect will still run.

HTH

Rick

Cisco Employee

tcp port 443 for anyconnect

Rick,

Just FYI

https://tools.ietf.org/html/rfc6347

https://tools.ietf.org/html/rfc4347

Now if people add some secret sauce in there, is another topic ;-)

M.

Hall of Fame Super Silver

tcp port 443 for anyconnect

Mahesh, to establish a remote access SSL VPN to your ASA, yes TCP 443 will suffice throught the router. When you enable the certificate and webvpn on the outside interface as part of the VPN setup that tells the ASA to listen for the incoming SSL - so you don't technically "open" 443 on the ASA.

Your VPN setup should have something similar  to the following commands which accomplish what I'm talking about:

ssl trust-point ASDM_TrustPoint0 Outside

webvpn

enable Outside

If you're configuring an IPsec remote access VPN (legacy client with IKEv1 or AnyConnect with IKEv2) then some other protocols need to pass - most notably IP Protocol 50 for ISAKMP to work.

Hall of Fame Super Gold

Re: tcp port 443 for anyconnect

Mahesh

I have reviewed the RFCs that define DTLS and they do not say anything about any particular port number for DTLS. But this FAQ for AnyConnect does seem to indicate that it does use UDP 443.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/107391-anyconnect-faqs.html

HTH

Rick

9 REPLIES
Hall of Fame Super Gold

tcp port 443 for anyconnect

Mahesh

By default the AnyConnect client will use TCP 443. But the AnyConnect client may also use DTLS (which provides the same type of authentication and encryption as SSL but uses UDP to do it). There is not a standard port for DTLS but I believe that there is an option on the ASA to configure a port for it to use and you would want that UDP port open also.

HTH

Rick

New Member

tcp port 443 for anyconnect

Hi Rick,

I need to open port tcp 443 on ASA and our Edge Router.

So i need to open port UDP 443 on both ASA and Router?

Regards

MAhesh

Hall of Fame Super Gold

tcp port 443 for anyconnect

Mahesh

This example show configuring DTLS for AnyConnect and it does use port 443. But it is possible to specify a different port. So basically the ports you need to open will reflect choices that you make in configuring AnyConnect.

And let me also make the point that DTLS is not a requirement. It is an optional feature (and in my opinion very beneficial). So you may enable it or you may not enable it - AnyConnect will still run.

HTH

Rick

New Member

Re: tcp port 443 for anyconnect

Hi Rick,

I configured ASA and Router to allow only port TCP 443 for anyconnect.

Now any connect works fine.

Config on ASA

webvpn

svc dtls enable

When user connects i see below

Protocol : Clientless SSL-Tunnel DTLS-Tunnel

So seems it is also using UDP also.

Does DTLS using also port 443?

Regards

MAhesh

Message was edited by: mahesh parmar

Hall of Fame Super Silver

tcp port 443 for anyconnect

Mahesh, to establish a remote access SSL VPN to your ASA, yes TCP 443 will suffice throught the router. When you enable the certificate and webvpn on the outside interface as part of the VPN setup that tells the ASA to listen for the incoming SSL - so you don't technically "open" 443 on the ASA.

Your VPN setup should have something similar  to the following commands which accomplish what I'm talking about:

ssl trust-point ASDM_TrustPoint0 Outside

webvpn

enable Outside

If you're configuring an IPsec remote access VPN (legacy client with IKEv1 or AnyConnect with IKEv2) then some other protocols need to pass - most notably IP Protocol 50 for ISAKMP to work.

Cisco Employee

tcp port 443 for anyconnect

Rick,

Just FYI

https://tools.ietf.org/html/rfc6347

https://tools.ietf.org/html/rfc4347

Now if people add some secret sauce in there, is another topic ;-)

M.

New Member

Re: tcp port 443 for anyconnect

Hi Everyone,

I configured ASA and Router to allow only port TCP 443 for anyconnect.

Now any connect works fine.

Config on ASA

webvpn

svc dtls enable

      

When user connects i see below

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

So seems it is also using UDP also.

Does DTLS using also port 443?

Regards

MAhesh

Message was edited by: mahesh parmar

Hall of Fame Super Gold

Re: tcp port 443 for anyconnect

Mahesh

I have reviewed the RFCs that define DTLS and they do not say anything about any particular port number for DTLS. But this FAQ for AnyConnect does seem to indicate that it does use UDP 443.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/107391-anyconnect-faqs.html

HTH

Rick

New Member

Re: tcp port 443 for anyconnect

Thanks Rick for looking this up.

Regards

Mahesh

19200
Views
0
Helpful
9
Replies
CreatePlease to create content