[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 882
  • Last Modified:

VPN Client: Needed ports

Dear all,
our former PIX515E admin left the company and I inherit the task
to manage the PIX now.
Since I'm a newbie I would like to ask some questions concerning a VPN
connection between a client with Checkpoint's SecuRemote S/W
and a remote VPN Server.

I found in our pix these lines:

access-list acl_inside permit ip host Client_IP host VPN Server_IP
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 50
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 256
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 264
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 500
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 501
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 2746

What's the meaning of the port 501 I read somewhere it stands for the STMF service but why is it there?

The next lines in our PIX are these:

access-list acl_outside permit esp host VPN Server_IP host Client_IP
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 256
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 264
access-list acl_outside permit udp host VPN Server_IP host Client_IP eq 501

Are these all ports we have to open on our PIX for the communication
from the VPN server to our VPN Client?
I'm missing the lines for the ports 50, 500, isakmp for examples.

Many thanks in advance for any comments!

Rainer B.
0
Friendship
Asked:
Friendship
1 Solution
 
grbladesCommented:
For VPN to be permitted through all you should need in the ACL is isakmp and esp :-

access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit ip host Client_IP host VPN Server_IP eq esp
0
 
plemieux72Commented:
When you do a show access-list, do you even get hitcounts on the ports in question?  If no hitcounts, maybe they are not needed.  Be careful with removing them however as someone might require them only once in a while???

0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now