[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

VPN Client: Needed ports

Posted on 2004-10-26
2
Medium Priority
?
880 Views
Last Modified: 2010-05-18
Dear all,
our former PIX515E admin left the company and I inherit the task
to manage the PIX now.
Since I'm a newbie I would like to ask some questions concerning a VPN
connection between a client with Checkpoint's SecuRemote S/W
and a remote VPN Server.

I found in our pix these lines:

access-list acl_inside permit ip host Client_IP host VPN Server_IP
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 50
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 256
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 264
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 500
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 501
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 2746

What's the meaning of the port 501 I read somewhere it stands for the STMF service but why is it there?

The next lines in our PIX are these:

access-list acl_outside permit esp host VPN Server_IP host Client_IP
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 256
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 264
access-list acl_outside permit udp host VPN Server_IP host Client_IP eq 501

Are these all ports we have to open on our PIX for the communication
from the VPN server to our VPN Client?
I'm missing the lines for the ports 50, 500, isakmp for examples.

Many thanks in advance for any comments!

Rainer B.
0
Comment
Question by:Friendship
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 36

Accepted Solution

by:
grblades earned 600 total points
ID: 12442151
For VPN to be permitted through all you should need in the ACL is isakmp and esp :-

access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit ip host Client_IP host VPN Server_IP eq esp
0
 
LVL 10

Expert Comment

by:plemieux72
ID: 12457179
When you do a show access-list, do you even get hitcounts on the ports in question?  If no hitcounts, maybe they are not needed.  Be careful with removing them however as someone might require them only once in a while???

0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question