Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 20, 2012 9:10 PM
Hi,
I have RRAS server act like VPN ACCESS (I use protocol L2TP)
what is ports need to open in firewall to enable VPN
I search in net and i found many port
for exemple Protocol ESP is usable or what ??
All replies (4)
Friday, December 21, 2012 7:23 AM ✅Answered
Hi,
We need to open UDP 500 and 4500 in our firewall.
For more details, please refer to:
Configure a Firewall for VPN Traffic
http://technet.microsoft.com/en-us/library/dd458955(v=ws.10).aspx
Hope this helps.
Jeremy Wu
TechNet Community Support
Sunday, December 23, 2012 10:29 PM ✅Answered
HI,
ESP and AH is obligatory to open it or not
For L2TP, yes, you must open ESP and AH.
.
my firewall support only UDP Or TCP
I don't understand your statement.
Does that mean your perimeter firewall only supports UDP?
Or does your statement mean that it only supports TCP?
Please clarify.
.
To add, I've never heard of a firewall that only supports either TCP or UDP. All firewalls I am aware of and have worked with, supports both UDP and TCP. And as I said in my previous post, the way you open AH and ESP highly depends on the name brand and model# of your firewall.
Please post your firewall's name brand, model# and IOS version.
Thank you.
.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Saturday, December 22, 2012 6:08 AM | 1 vote
To add, these are the ports I usually open depending on the VPN type I am allowing in:
PPTP:
TCP 1723
GRE
About GRE - it's also known as "protocol ID 47," but note that this is not a true port #, rather it's a "protocol number." To configure it in a firewall, would depend on the brand name and IOS version of the firewall. An older Linksys router calls it "VPN Passthrough," but it only supports PPTP, unless there was an update that provides it (I'm not 100% familiar with all their versions). A newer Linksys supports both L2TP and PPTP, and referes to it as "L2TP Passthrough," or "PPTP Passthrough", and this also depends on the model# and versions. A Cisco ASA 5500 series and PIX 50x series, has a built-in service you can choose called "GRE." Juniper, DLink, NetGear, etc, please consult their docs or online support site.
.
L2TP:
TCP 1701
UDP 500 - This is for the security association (also called the SA) to negotiate the security method, whether it's a password, certificate or Kerberos.
AH - Also called Authenticated Headers. This is Protocol ID 50 - and like above, this is not a port, and it depends on your firewall on how to configure it.
ESP - Encapsulated Secure Payload. This is Protocol ID 51 - and like above, this is not a port, and it depends on your firewall on how to configure it.
.
SSTP:
TCP 443
.
Direct Access - (DA is not really a VPN, but for this discussion, I'm just posting the port):
TCP 443
.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Sunday, December 23, 2012 10:11 PM
HI,
ESP and AH is obligatory to open it or not
my firewall support only UDP Or TCP