Re: OT:VPN dial in

From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Mon Apr 10 2006 - 08:11:57 GMT-3

• Next message: JB: "UDLD- normal vs aggressive"
• Previous message: Alexei Monastyrnyi: "best practice with time zones?"
• Maybe in reply to: Mohamed.N: "OT:VPN dial in"
• Next in thread: john matijevic: "Re: OT:VPN dial in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

So it should be
IP 50 (ESP) + UDP 500 for normal IPSec
or
UDP 500 + UDP 4500 for IPSec with NAT-T

looking at "denies" in syslogging would help as well

on 10/04/2006 13:09 Mohamed.N wrote:
> Cisco PIX and Cisco VPN client
>
>
> ----- Original Message -----
> From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
> To: "Mohamed.N" <mohamed_n@sifycorp.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, April 10, 2006 4:28 PM
> Subject: Re: OT:VPN dial in
>
>
>
>> What VPN clients do you use?
>>
>> TCP 1723 for PPTP
>> IP 50 (ESP) + UDP 500 for IPSec
>> UDP 500 + UDP 4500 for IPSec with NAT-T
>>
>> all are in terms of destination port or protocol.
>>
>> but you should not be in need of opening some special ports from inside
>> to outside unless you have some very special security rules....
>>
>> A.
>>
>> on 10/04/2006 12:20 Mohamed.N wrote:
>>
>>> Hi All
>>>
>>> Sorry for slightly OT.
>>> What ports to allow in the PIX inbound ACL for a PC to dial VPN from PIX
>>> inside to outside ?
>>> I have to allow the whole IP from the outside VPN server to my inside
>>>
> LAN in
>
>>> my inbound PIX ACL,which is showing a RED signal in the audits..
>>> I tried to lookup the ports in syslog, but syslog is not capturing the
>>>
> port
>
>>> number....i tried allowing esp,udp 500 etc..no hopes..
>>> Pls help.
>>>
>>> Regards
>>> Mohamed.
>>> ********** DISCLAIMER **********
>>> Information contained and transmitted by this E-MAIL is proprietary to
>>> Sify Limited and is intended for use only by the individual or entity to
>>> which it is addressed, and may contain information that is privileged,
>>> confidential or exempt from disclosure under applicable law. If this is
>>>
> a
>
>>> forwarded message, the content of this E-MAIL may not have been sent
>>>
> with
>
>>> the authority of the Company. If you are not the intended recipient, an
>>> agent of the intended recipient or a person responsible for delivering
>>>
> the
>
>>> information to the named recipient, you are notified that any use,
>>> distribution, transmission, printing, copying or dissemination of this
>>> information in any way or in any manner is strictly prohibited. If you
>>>
> have
>
>>> received this communication in error, please delete this mail & notify
>>>
> us
>
>>> immediately at admin@sifycorp.com
>>>
>>> www.sify.com - your homepage on the internet for news, sports, finance,
>>> astrology, movies, entertainment, food, languages etc

• Next message: JB: "UDLD- normal vs aggressive"
• Previous message: Alexei Monastyrnyi: "best practice with time zones?"
• Maybe in reply to: Mohamed.N: "OT:VPN dial in"
• Next in thread: john matijevic: "Re: OT:VPN dial in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3