Tuesday, February 2, 2010

Changing TCP Port for Remote Access VPN Connections

Firewalls of the MindImage by beedieu via Flickr

Has it really been almost two months since I've written a blog post? Wow.

I recently experienced an issue with a customer that could not establish a remote access VPN connection to their Cisco ASA from a hotel. The hotel was blocking the standard UDP (500) port, and would not allow the alternate TCP/10000 port, to establish the connection.

Fortunately, this is not the first time I, or Cisco, have experienced this issue.

Using IPSec over TCP, we can control the port on the firewall that will respond to the remote access requests. When the tunnel is established, both VPN devices (Cisco ASA and the VPN client) pass traffic using the same connection.

To change the TCP port that the client will use to connect to the ASA, use the 'isakmp ipsec-over-tcp port' command. The Cisco ASA allows up to ten TCP port to be used for this feature. So, you can keep the default TCP/10000 and add TCP/80, by entering the following command:
crypto isakmp ipsec-over-tcp port 80 10000
Reblog this post [with Zemanta]

2 comments:

Roman lesnar said...

Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!! vpn review

REBECCA jones said...

Thanks for sharing this information on vpn connections. My friend asked me for a good vpn service and searched online for good tech reviews. Suggested him couple of vpn service providers offering amazing services and hope it was useful for him.