VPN Client: Needed ports

Dear all,
our former PIX515E admin left the company and I inherit the task
to manage the PIX now.
Since I'm a newbie I would like to ask some questions concerning a VPN
connection between a client with Checkpoint's SecuRemote S/W
and a remote VPN Server.

I found in our pix these lines:

access-list acl_inside permit ip host Client_IP host VPN Server_IP
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 50
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 256
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 264
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 500
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 501
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 2746

What's the meaning of the port 501 I read somewhere it stands for the STMF service but why is it there?

The next lines in our PIX are these:

access-list acl_outside permit esp host VPN Server_IP host Client_IP
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 256
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 264
access-list acl_outside permit udp host VPN Server_IP host Client_IP eq 501

Are these all ports we have to open on our PIX for the communication
from the VPN server to our VPN Client?
I'm missing the lines for the ports 50, 500, isakmp for examples.

Many thanks in advance for any comments!

Rainer B.
FriendshipAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
For VPN to be permitted through all you should need in the ACL is isakmp and esp :-

access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit ip host Client_IP host VPN Server_IP eq esp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
plemieux72Commented:
When you do a show access-list, do you even get hitcounts on the ports in question?  If no hitcounts, maybe they are not needed.  Be careful with removing them however as someone might require them only once in a while???

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.