Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
0
Helpful
2
Replies

VPN Concentrator - IPSec over UDP problem

majstorv
Level 1
Level 1

‎11-29-2003 12:18 PM - edited ‎02-21-2020 12:53 PM

Hello,

Our company managers have lap-tops with application using partner`s VPN Concentrator site (IP address 146.197.27.32, belongs to "NIKE") and should connect as our LAN internal IP addresses (CISCO VPN Client 3.5.2, IPSec over UDP, transparent tunneling) over our ISA 2000 firewall and our CISCO 805 router.

(Sorry, this should not have been advertisement, it`s just that I have had not much of support from their contacts, in fact they are not real sys.admins, and I could not get to any real VPN Concentrator admin. Besides, I hope this will make other people having had the same problem with the same side to post here their suggestions and experience).

Anyway, all they told me is: open UDP 500 and UDP 10000. I am afraid it is not that simple.

They can connect, authenticate, get address from VPN Concentrator ,but when they start using application there is no response from target server. No data ever comes inbound.

Now, I have been experimenting with our CISCO router which is behind firewall (completely public): I assigned public address to Laptop client and tested changing access-list in order to "catch" ports.

All OUTBOUND IP traffic on CISCO is permitted.

For INBOUND access list, I have put:

"permit ip any any" and THIS HELPED.

I have tried with "netstat" on client to see what IP ports are in use but haven`t discovered anything interesting, besides the fact that when application communicates remote server TCP 40400 IS ALWAYS OPENED ON REMOTE SIDE!

When I changed INBOUND access list to:

"permit udp any any

permit tcp any any" NO SUCCESS!

I tried with:

"permit ipinip any any" but NO SUCCESS!

1) Does anyone knows what ports this VPN Concentrator really uses and how to find out what specific IP protocols and ports should be opened on CISCO 805, both in and out?

2) If VPN CONCENTRATOR (146.197.27.32) admins do not follow this forum, how to monitor ports and IP protocols in use on CISCO IOS 12.2 during succesful session which I described above? Something like "netstat" in Windows.

3) What firewalls at clients` side support this if ISA doesn`t (Win2000 environment)? Please, only confirmed through testing.

Regards,

Vladimir

Labels:
0 Helpful
2 Replies 2

nikhil_m
Level 1
Level 1

‎12-08-2003 08:36 AM

but permit ip any any is really security breach...

0 Helpful

rob.wright
Level 1
Level 1

‎12-10-2003 12:17 PM

check out this link for cisco vpn 3000 series"

<<http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml#Q3>>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents