Cisco VPN Client -> PIX over TCP

I have the Cisco VPN Client V3.5 for Win 2k and a Pix 515UR Firewall (V6.2).

Currently all users use IPSec over UDP.

I now have the situation that some users cannot use the UDP Connections anymore as Port 500 (ISAKMP) has been blocked. I would like to be able to force them onto a Specific TCP port (say Port 10000) for sake of argument.

I need to know what lines I need to add to my Pix config to get IPSec over TCP to work. I have scoured the web and Cisco.com with no luck. I can find a way of doing it using the VPN3000 concentrator but not the Pix 515.

Anyone got any links / Ideas?

Cheers
dsimmAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
moduloConnect With a Mentor Commented:
PAQed with no points refunded (of 75)

modulo
Community Support Moderator
0
 
geoffrynCommented:
ISAKMP is a standard port.  I do not think that the PIX supports any means of changing the listening port.  Why would you feel the need to block 500 UDP in the first place?
0
 
dsimmAuthor Commented:
I probably need to add to this question.

I am not blocking Port UDP 500, A certain British ISP is. Unfortunately a few of our support engineers chose them as their ISP and cannot now talk back to base. I need to get thier VPN  Clients working whilst they change their provider. I am gambling on the fact that the ISP is blocking on Port Numbers.

I know the Cisco VPN Client on Win 2k has an option to use IPSec over a specific TCP port. I want to use this feature. I just dont know how to configure the TCP port on the PIX. I have the rest of the Pix set up correctly I suspect 2 things either

a. The IPSec over TCP is not supported on Pix ony VPN3000 concentrators

b. I need an access-list, ipsec or similar command to define which port the clients connect to.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
geoffrynCommented:
I don't think this can be done.  Have you done a "debug crypto ipsec" and "debug crypto isakmp"  

0
 
dsimmAuthor Commented:
I suspect it cannot be done too. I think that client is quite tightly integrated to the VPN3000 Concentrator Box and this features is specific to that. I know my VPN set up works fine over UDP i.e. when IPSec over UDP is enabled. If I change the client to do IPSec over TCP and use the default Port (10000) the Pix never responds.

I am assuming there is a command in the PIX that allows me to say something like crypto ipsec tcp port <port number>. This of course is a BIG assumption. I have studied http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm for a command that may be of use but I cannot see anything. Hence this post.

Yes I have used said commands. Nothing out of the ordinary. I think the Initial TCP SYN when the Client tries to set up the connection is jsut being dropped by the Pix Outside interface. As I say ,i need a command to tell the Pix to let the IPSec on port 10000 through.



0
 
lrmooreCommented:
IPSEC uses a standard port that you cannot change on the PIX.
If UDP works, then what's the problem with just having the client use the udp option?
0
 
cephal0podCommented:
I didn't think the PIX supported TCP encapsulation, only UDP. If you wanted TCP you'd have to get a concentrator.

0
 
hetreedCommented:
I was reading this thread because I am trying to get a PIX to encapsulate IPSec to get through an ISP that is blocking it. There seems ot be plenty about how the VPN concentrators do it, but nothing on PIXs. I don't mind whether it is done with UDP or TCP, but as yet I have been unable to find any reference to the PIX being able to do this. Any ideas?
0
 
knowlegeCommented:
Have you tried to add the command isakmp nat-traversal.  I was never able to get IPSEC over TCP working either.  I had problems with some users who were going through firewalls that were doing PAT and this command fixed it.  Good luck.
0
 
walterthebatCommented:
PIX does not currently support IPSEC over TCP.
It is sheduled for release in version 7 , 4th qtr 2004.
0
 
geoffrynCommented:
PAQ it, it has value
0
All Courses

From novice to tech pro — start learning today.