Cisco VPN Client -> PIX over TCP

Posted on 2003-03-12
Medium Priority
Last Modified: 2013-11-16
I have the Cisco VPN Client V3.5 for Win 2k and a Pix 515UR Firewall (V6.2).

Currently all users use IPSec over UDP.

I now have the situation that some users cannot use the UDP Connections anymore as Port 500 (ISAKMP) has been blocked. I would like to be able to force them onto a Specific TCP port (say Port 10000) for sake of argument.

I need to know what lines I need to add to my Pix config to get IPSec over TCP to work. I have scoured the web and Cisco.com with no luck. I can find a way of doing it using the VPN3000 concentrator but not the Pix 515.

Anyone got any links / Ideas?

Question by:dsimm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

ID: 8124246
ISAKMP is a standard port.  I do not think that the PIX supports any means of changing the listening port.  Why would you feel the need to block 500 UDP in the first place?

Author Comment

ID: 8126349
I probably need to add to this question.

I am not blocking Port UDP 500, A certain British ISP is. Unfortunately a few of our support engineers chose them as their ISP and cannot now talk back to base. I need to get thier VPN  Clients working whilst they change their provider. I am gambling on the fact that the ISP is blocking on Port Numbers.

I know the Cisco VPN Client on Win 2k has an option to use IPSec over a specific TCP port. I want to use this feature. I just dont know how to configure the TCP port on the PIX. I have the rest of the Pix set up correctly I suspect 2 things either

a. The IPSec over TCP is not supported on Pix ony VPN3000 concentrators

b. I need an access-list, ipsec or similar command to define which port the clients connect to.
LVL 11

Expert Comment

ID: 8128886
I don't think this can be done.  Have you done a "debug crypto ipsec" and "debug crypto isakmp"  

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.


Author Comment

ID: 8129105
I suspect it cannot be done too. I think that client is quite tightly integrated to the VPN3000 Concentrator Box and this features is specific to that. I know my VPN set up works fine over UDP i.e. when IPSec over UDP is enabled. If I change the client to do IPSec over TCP and use the default Port (10000) the Pix never responds.

I am assuming there is a command in the PIX that allows me to say something like crypto ipsec tcp port <port number>. This of course is a BIG assumption. I have studied http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm for a command that may be of use but I cannot see anything. Hence this post.

Yes I have used said commands. Nothing out of the ordinary. I think the Initial TCP SYN when the Client tries to set up the connection is jsut being dropped by the Pix Outside interface. As I say ,i need a command to tell the Pix to let the IPSec on port 10000 through.

LVL 79

Expert Comment

ID: 8135968
IPSEC uses a standard port that you cannot change on the PIX.
If UDP works, then what's the problem with just having the client use the udp option?

Expert Comment

ID: 8314413
I didn't think the PIX supported TCP encapsulation, only UDP. If you wanted TCP you'd have to get a concentrator.


Expert Comment

ID: 10540513
I was reading this thread because I am trying to get a PIX to encapsulate IPSec to get through an ISP that is blocking it. There seems ot be plenty about how the VPN concentrators do it, but nothing on PIXs. I don't mind whether it is done with UDP or TCP, but as yet I have been unable to find any reference to the PIX being able to do this. Any ideas?

Expert Comment

ID: 10620488
Have you tried to add the command isakmp nat-traversal.  I was never able to get IPSEC over TCP working either.  I had problems with some users who were going through firewalls that were doing PAT and this command fixed it.  Good luck.

Expert Comment

ID: 10666351
PIX does not currently support IPSEC over TCP.
It is sheduled for release in version 7 , 4th qtr 2004.
LVL 11

Expert Comment

ID: 12547287
PAQ it, it has value

Accepted Solution

modulo earned 0 total points
ID: 12577820
PAQed with no points refunded (of 75)

Community Support Moderator

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question