Solved

VPN Client: Needed ports

Posted on 2004-10-26
878 Views
Last Modified: 2010-05-18
Dear all,
our former PIX515E admin left the company and I inherit the task
to manage the PIX now.
Since I'm a newbie I would like to ask some questions concerning a VPN
connection between a client with Checkpoint's SecuRemote S/W
and a remote VPN Server.

I found in our pix these lines:

access-list acl_inside permit ip host Client_IP host VPN Server_IP
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 50
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 256
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 264
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 500
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 501
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 2746

What's the meaning of the port 501 I read somewhere it stands for the STMF service but why is it there?

The next lines in our PIX are these:

access-list acl_outside permit esp host VPN Server_IP host Client_IP
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 256
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 264
access-list acl_outside permit udp host VPN Server_IP host Client_IP eq 501

Are these all ports we have to open on our PIX for the communication
from the VPN server to our VPN Client?
I'm missing the lines for the ports 50, 500, isakmp for examples.

Many thanks in advance for any comments!

Rainer B.
0
Question by:Friendship
    2 Comments
     
    LVL 36

    Accepted Solution

    by:
    For VPN to be permitted through all you should need in the ACL is isakmp and esp :-

    access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
    access-list acl_inside permit ip host Client_IP host VPN Server_IP eq esp
    0
     
    LVL 10

    Expert Comment

    by:plemieux72
    When you do a show access-list, do you even get hitcounts on the ports in question?  If no hitcounts, maybe they are not needed.  Be careful with removing them however as someone might require them only once in a while???

    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now