Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Client: Needed ports 1

Status
Not open for further replies.
dasa123

dasa123

IS-IT--Management
Sep 26, 2002
32
DE
Dear all,
our former PIX515E admin left the company and I inherit the task
to manage the PIX now.
Since I'm a newbie I would like to ask some questions concerning a VPN
connection between a client with Checkpoint's SecuRemote S/W
and a remote VPN Server.

I found in our pix these lines:

access-list acl_inside permit ip host Client_IP host VPN Server_IP
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 50
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 256
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 264
access-list acl_inside permit tcp host Client_IP host VPN Server_IP eq 500
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 501
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq isakmp
access-list acl_inside permit udp host Client_IP host VPN Server_IP eq 2746

What's the meaning of the port 501 I read somewhere it stands for the STMF service but why is it there?

The next lines in our PIX are these:

access-list acl_outside permit esp host VPN Server_IP host Client_IP
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 256
access-list acl_outside permit tcp host VPN Server_IP host Client_IP eq 264
access-list acl_outside permit udp host VPN Server_IP host Client_IP eq 501

Are these all ports we have to open on our PIX for the communication
from the VPN server to our VPN Client?
I'm missing the lines for the ports 50, 500, isakmp for examples.

Many thanks in advance for any comments!

Rainer B.
 
Sort by date Sort by votes
your old admin clearly didnt understand the concecpts.
when you permit all IP, like you do in the first line, all subsidaries lines are never meet.
Try a show access-list and see the hit-counts.
I bet only the first line have hits.

I think that he has test-and-trialed abit there.
tcp/50 i think he mistaken for protocol/50 which is ESP
same goes for tcp/500 which should be udp/500 for ISAKMP
you should read the checkpoint manual for what ports are needed the the vpnclient.


HTH
Martin
 
Upvote 0 Downvote
@mbilgrav
=========

Perfect answer!

Thanks, Rainer
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
869
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
370
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
305
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
242
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top