From: john matijevic (john.matijevic@gmail.com)
Date: Mon Apr 10 2006 - 08:35:07 GMT-3
Hello Mohamed,
What ports to allow in the PIX inbound ACL for a PC to dial VPN from PIX
inside to outside ?
Answer: Do you mean that the internal client on the inside (private) of your
network is establishing a VPN to the outside (public) part of the network.
If this is the case no ACL entry is necessary. Can you post your configs?
Can you post a Network Diagram? Can you be more specific on the trouble that
you are having? Please discuss offline.
Sincerely,
John
On 4/10/06, Alexei Monastyrnyi <alexeim@orcsoftware.com> wrote:
>
> So it should be
> IP 50 (ESP) + UDP 500 for normal IPSec
> or
> UDP 500 + UDP 4500 for IPSec with NAT-T
>
> looking at "denies" in syslogging would help as well
>
> on 10/04/2006 13:09 Mohamed.N wrote:
> > Cisco PIX and Cisco VPN client
> >
> >
> > ----- Original Message -----
> > From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
> > To: "Mohamed.N" <mohamed_n@sifycorp.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Monday, April 10, 2006 4:28 PM
> > Subject: Re: OT:VPN dial in
> >
> >
> >
> >> What VPN clients do you use?
> >>
> >> TCP 1723 for PPTP
> >> IP 50 (ESP) + UDP 500 for IPSec
> >> UDP 500 + UDP 4500 for IPSec with NAT-T
> >>
> >> all are in terms of destination port or protocol.
> >>
> >> but you should not be in need of opening some special ports from inside
> >> to outside unless you have some very special security rules....
> >>
> >> A.
> >>
> >> on 10/04/2006 12:20 Mohamed.N wrote:
> >>
> >>> Hi All
> >>>
> >>> Sorry for slightly OT.
> >>> What ports to allow in the PIX inbound ACL for a PC to dial VPN from
> PIX
> >>> inside to outside ?
> >>> I have to allow the whole IP from the outside VPN server to my inside
> >>>
> > LAN in
> >
> >>> my inbound PIX ACL,which is showing a RED signal in the audits..
> >>> I tried to lookup the ports in syslog, but syslog is not capturing the
> >>>
> > port
> >
> >>> number....i tried allowing esp,udp 500 etc..no hopes..
> >>> Pls help.
> >>>
> >>> Regards
> >>> Mohamed.
> >>> ********** DISCLAIMER **********
> >>> Information contained and transmitted by this E-MAIL is proprietary to
> >>> Sify Limited and is intended for use only by the individual or entity
> to
> >>> which it is addressed, and may contain information that is privileged,
> >>> confidential or exempt from disclosure under applicable law. If this
> is
> >>>
> > a
> >
> >>> forwarded message, the content of this E-MAIL may not have been sent
> >>>
> > with
> >
> >>> the authority of the Company. If you are not the intended recipient,
> an
> >>> agent of the intended recipient or a person responsible for
> delivering
> >>>
> > the
> >
> >>> information to the named recipient, you are notified that any use,
> >>> distribution, transmission, printing, copying or dissemination of this
> >>> information in any way or in any manner is strictly prohibited. If you
> >>>
> > have
> >
> >>> received this communication in error, please delete this mail & notify
> >>>
> > us
> >
> >>> immediately at admin@sifycorp.com
> >>>
> >>> www.sify.com - your homepage on the internet for news, sports,
> finance,
> >>> astrology, movies, entertainment, food, languages etc
>
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3