Image by beedieu via FlickrHas it really been almost two months since I've written a blog post? Wow.
I recently experienced an issue with a customer that could not establish a remote access VPN connection to their Cisco ASA from a hotel. The hotel was blocking the standard UDP (500) port, and would not allow the alternate TCP/10000 port, to establish the connection.
Fortunately, this is not the first time I, or Cisco, have experienced this issue.
Using IPSec over TCP, we can control the port on the firewall that will respond to the remote access requests. When the tunnel is established, both VPN devices (Cisco ASA and the VPN client) pass traffic using the same connection.
To change the TCP port that the client will use to connect to the ASA, use the 'isakmp ipsec-over-tcp port' command. The Cisco ASA allows up to ten TCP port to be used for this feature. So, you can keep the default TCP/10000 and add TCP/80, by entering the following command:
crypto isakmp ipsec-over-tcp port 80 10000