Cisco VPN Client -> PIX over TCP

I have the Cisco VPN Client V3.5 for Win 2k and a Pix 515UR Firewall (V6.2).

Currently all users use IPSec over UDP.

I now have the situation that some users cannot use the UDP Connections anymore as Port 500 (ISAKMP) has been blocked. I would like to be able to force them onto a Specific TCP port (say Port 10000) for sake of argument.

I need to know what lines I need to add to my Pix config to get IPSec over TCP to work. I have scoured the web and with no luck. I can find a way of doing it using the VPN3000 concentrator but not the Pix 515.

Anyone got any links / Ideas?

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

moduloConnect With a Mentor Commented:
PAQed with no points refunded (of 75)

Community Support Moderator
ISAKMP is a standard port.  I do not think that the PIX supports any means of changing the listening port.  Why would you feel the need to block 500 UDP in the first place?
dsimmAuthor Commented:
I probably need to add to this question.

I am not blocking Port UDP 500, A certain British ISP is. Unfortunately a few of our support engineers chose them as their ISP and cannot now talk back to base. I need to get thier VPN  Clients working whilst they change their provider. I am gambling on the fact that the ISP is blocking on Port Numbers.

I know the Cisco VPN Client on Win 2k has an option to use IPSec over a specific TCP port. I want to use this feature. I just dont know how to configure the TCP port on the PIX. I have the rest of the Pix set up correctly I suspect 2 things either

a. The IPSec over TCP is not supported on Pix ony VPN3000 concentrators

b. I need an access-list, ipsec or similar command to define which port the clients connect to.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

I don't think this can be done.  Have you done a "debug crypto ipsec" and "debug crypto isakmp"  

dsimmAuthor Commented:
I suspect it cannot be done too. I think that client is quite tightly integrated to the VPN3000 Concentrator Box and this features is specific to that. I know my VPN set up works fine over UDP i.e. when IPSec over UDP is enabled. If I change the client to do IPSec over TCP and use the default Port (10000) the Pix never responds.

I am assuming there is a command in the PIX that allows me to say something like crypto ipsec tcp port <port number>. This of course is a BIG assumption. I have studied for a command that may be of use but I cannot see anything. Hence this post.

Yes I have used said commands. Nothing out of the ordinary. I think the Initial TCP SYN when the Client tries to set up the connection is jsut being dropped by the Pix Outside interface. As I say ,i need a command to tell the Pix to let the IPSec on port 10000 through.

IPSEC uses a standard port that you cannot change on the PIX.
If UDP works, then what's the problem with just having the client use the udp option?
I didn't think the PIX supported TCP encapsulation, only UDP. If you wanted TCP you'd have to get a concentrator.

I was reading this thread because I am trying to get a PIX to encapsulate IPSec to get through an ISP that is blocking it. There seems ot be plenty about how the VPN concentrators do it, but nothing on PIXs. I don't mind whether it is done with UDP or TCP, but as yet I have been unable to find any reference to the PIX being able to do this. Any ideas?
Have you tried to add the command isakmp nat-traversal.  I was never able to get IPSEC over TCP working either.  I had problems with some users who were going through firewalls that were doing PAT and this command fixed it.  Good luck.
PIX does not currently support IPSEC over TCP.
It is sheduled for release in version 7 , 4th qtr 2004.
PAQ it, it has value
All Courses

From novice to tech pro — start learning today.