Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN to outside source

We have some clients that need to connect to their parent company using a VPN tunnel from our lan to their lan.  Currently when the try to connect they are disconnected.

All of our clients are directed to go out through our proxy server which then travels through our pix firewall.

Currently when they try to connect they are getting a time out error.

I have the following ports open via access rules to the ip address of the server that they connect to.

IPSec, L2TP and PPTP  which requires ports 500, 1701, and 1723 

I can create an exception to not have them go through our proxy but, this did not make a difference.

Can anyone give me a clue as to what I am missing here?  I want to make sure that our security does not become an issue but at the same time I need to make sure we are secure.

Thank you in advance for your suggestions and assistance.

Sincerely,

TJ

2 REPLIES
Cisco Employee

VPN to outside source

For IPSec, here are the standard ports: UDP/500, UDP/4500, ESP protocol, and also configure "inspect ipsec-pass-thru" on your global policy:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1740887

For L2TP, here are the standard ports: TCP/1701, GRE protocol

For PPTP, here are the standard ports: TCP/1723, GRE protocol, and also configure "inspect pptp" on your global policy:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

For IPSec, if the IPSec server does not enable NAT-T, you will need to configure static 1:1 to allow ESP to go through.

Hope that helps.

New Member

VPN to outside source

Ok. I will give this a try.  I thought since the vpn was hosted else where, that I could just allow access through the normal acl's.

I appreciate the help.

298
Views
0
Helpful
2
Replies
CreatePlease to create content