Isakmp peers using non-standard port 4500

Similar Messages

• IPSEC crypto peers using non-standard ports

  Hello,
  I have a remote site that is using port 4500 for within the isakmp phase of creating a IPSEC tunnel, but for some reason it is also using random port numbers constantly (in bold):
  BEVRLY_D_CR184_01#sh crypto isa peer
  Peer: x.x.x.x Port: 4500 Local: x.x.x.x
  Phase1 id: 10.2.0.92
  Peer: x.x.x.x Port: 10456 Local: x.x.x.x
  Phase1 id: 10.2.0.92
  Peer: x.x.x.x Port: 10554 Local: x.x.x.x
  Phase1 id: 10.2.0.92
  Peer: x.x.x.x Port: 10557 Local: x.x.x.x
  Phase1 id: 10.2.0.92
  Peer: x.x.x.x Port: 10580 Local: x.x.x.x
  Phase1 id: 10.2.0.92
  These are all blocked by the firewall when trying to communicate with our central router in the trusted network. The central router does not display the same symptoms, it only uses port 4500.
  Is there a way of preventing the remote router from using random port numbers and only allowed to use 4500??
  Thanks
  Phil

  Hello,
  Yes - there's NAT at the trusted central router end our side of the firewall... the config used is below:
  Remote Router end:
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 180
  crypto isakmp key address
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 90 30 periodic
  crypto ipsec security-association idle-time 300
  crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
  crypto ipsec profile VTI
  set security-association lifetime seconds 1800
  set transform-set BEVERLEY_Transform
  interface Tunnel1
  description BEVRLY_CC296_01 F0/8 (10.30.45.29)
  ip address x.x.x.x 255.255.255.252
  ip helper-address 10.91.6.30
  ip helper-address 10.4.162.92
  ip mtu 1400
  ip ospf message-digest-key 1 md5
  load-interval 30
  tunnel source Dialer1
  tunnel destination
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  Central Router:
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 180
  crypto isakmp key address
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 90 30 periodic
  crypto ipsec security-association idle-time 300
  crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
  crypto ipsec profile VTI
  set security-association lifetime seconds 1800
  set transform-set BEVERLEY_Transform
  interface Tunnel1
  description link to Beverley via internet (BEVERLY_CR184_01 Tun1)
  ip address x.x.x.x 255.255.255.252
  ip mtu 1400
  ip ospf message-digest-key 1 md5
  load-interval 30
  tunnel source FastEthernet0/1
  tunnel destination
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  I believe the DPD keepalives ensure NAT is known and compatible (crypto isakmp keepalive 90 30 periodic) between the peers....
  Any help gladly appreciated....
  thanks
  Phil

• CFHTTP GET using non-standard ports

  I have an application which goes out and checks links on
  various servers to verify that the link still exists, however I
  have a few links on servers that use non-standard ports (ie 8001,
  7072, 8080, etc). When I dump CFHTTP I get the following:
  struct
  Charset [empty string]
  ErrorDetail I/O Exception: Premature EOF encountered
  Filecontent Connection Failure
  Header [undefined struct element]
  Mimetype Unable to determine MIME type of file.
  Responseheader struct [empty]
  Statuscode Connection Failure. Status code unavailable.
  Text YES
  Any ideas?
  Thanks.
  Mike

  Yup, FaceTime was set up on all devices using my home network. It functions correctly pretty much everywhere except on my internal network at the office.
  I'm pretty sure this is a firewall issue, not a basic FaceTime problem.

• How to use non-standard port for vnc?

  Our Windows users who use RDC to connect to their desktops from off-site come in on a non-standard port number. Part of our security setup.
  I'd like to do the same with Mac users who use screen sharing and vnc to connect remotely.
  How can I specify another port number at both ends to accomplish this?
  I can find nothing in the Network Utility app, or in the KB.
  Surely there's a short sequence of Terminal commands that will do this?

  I haven't tried this so don't know whether it will work. But I think it will. Presuming the target machine is a Mac, see if editing its /etc/services file will do it. Find the two lines that start with "vnc-server" and change the port number there. Launch Terminal.app as an administratively privileged user, sudo pico /etc/services, ^w to search for vnc-server, make the changes, ^x to exit, y to save and overwrite. Also, you will need to have screen sharing enabled in the target machine's System Preferences' Sharing, and the authorized users defined there, too. Reboot. Now, on the remote client, assuming it is also a Mac, the user would type ⌘k in the Finder (or mouse to Finder > Go > Connect to Server), and enter something like vnc://123.45.67.89:55900 where you substitute the actual IP address or host name for where I have entered 123.45.67.89, and where you substitute the actual alternate port number where I have entered 55900. Of course, in the clients' Screen Sharing's Preferences, they should choose to encrypt the entire session, not just the login. Like I said, I haven't tried this because I just tunnel my vnc stuff through ssh, but I'm thinking that this should work.

• CSS 11501 ftp server setup problem using non-standard port

  Dear Expert,
  we would like to setup FTP server over CSS where our member sever use non-std-port to open both control/data channel (i.e. 6370 as ctrl and 6369 as data this case.) but seems we only get Passive mode FTP mode work only but not for Active mode FTP case for data channel establishement for server back to client...is there any professional advise can help on this case...? here is our setup info FYI
  #  sh ver
  Version:               sg0820501 (08.20.5.01)
  Flash (Locked):        08.10.1.06
  Flash (Operational):   08.20.5.01
  Type:                  PRIMARY
  Licensed Cmd Set(s):   Standard Feature Set
                         Secure Management
  CVDM Version:          cvdm-css-1.0_K9
  !*************** Global
  ftp data-channel-timeout 10
    ftp non-standard-ports
  !************************** SERVICE **************************
  service ftp_ftpgtw
    keepalive maxfailure 2
    keepalive frequency 15
    keepalive retryperiod 2
    keepalive type tcp
    ip address 192.168.52.170
    protocol tcp
    keepalive port 6370
    port 6370
    active
  # sh run group drfusegtwftp_grp 
  !*************************** GROUP ***************************
  group gtwftp_grp
    vip address 192.168.52.28
    add service ftp_ftpgtw
    active
    content ftp_gtwpkg-ftpgtw
      add service ftp_ftpgtw
      vip address 192.168.52.28
      port 21
      protocol tcp
      application ftp-control
      active

  Thanks for your confirmation on no prob found in config level 1st..:P..as to save us a lot of time in isolating problem at this level.
  What we can notice is seems the data port connection is fail to open  for server back to client....for our general sense..... the flow expected should be:
  TCP session A -- Client:1234 --> VIP:21 --> member svr:6370
  TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 6379 [on demand generated between server/client]
  but we can only see session B fail  to setup when client side access VIP site on CSS..even we try to put the most standard case as below
  TCP session A -- Client:1234 --> VIP:21 --> member svr:21
  TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 20
  we still unable to make the Active mode FTP access work either...hence we got no idea on how CSS handle FTP access when it involve services over multiple tcp ports..
  and from CSS xlate view...the problem is we can only see what NAT IP that used in CSS connect to client...but no way to confirm for which port for VIP using outgoing to client. neither it is dropped by CSS..nor it is never setup from VIP to Client side.

• FaceTime using non-standard ports?

  FaceTime will not work on my internal network. I can place a call from one iOS device to another, and the receiving device can connect...but the caller doesn't complete the connection.
  I've opened the ports on my firewall listed in Apple's KnowledgeBase article (http://support.apple.com/kb/ht4245):
  443 (TCP) - already open for HTTPS traffic
  3478 through 3497 (UDP)
  5223 (TCP) - already open for Apple Push Notification Service traffic
  16384 through 16387 (UDP)
  16393 through 16402 (UDP)
  In my WatchGuard Firebox firewall's logs, however, when I place a FaceTime call I'm seeing 3 packets blocked with destination ports in the 50000-60000 range - well outside the ranges Apple lists, for example:
  Deny     10.50.1.155     [outside]     49350/udp -> 59491
  Deny     10.50.1.155     [outside]     49351/udp -> 59491
  Deny     10.50.1.155     [outside]     21487/udp -> 59491
  or
  Deny     10.50.1.155     [outside]     25000/udp -> 60232
  Deny     10.50.1.155     [outside]     51137/udp -> 60232
  Deny     10.50.1.155     [outside]     51138/udp -> 60232
  or
  Deny     10.50.1.155     [outside]     27814/udp -> 59060
  Deny     10.50.1.155     [outside]     10839/udp -> 59060
  Deny     10.50.1.155     [outside]     10840/udp -> 59060
  As mentioned, I place the call, the receiver rings, the receiver answers and says "connecting...", but the caller keeps ringing.
  Any ideas?

  Yup, FaceTime was set up on all devices using my home network. It functions correctly pretty much everywhere except on my internal network at the office.
  I'm pretty sure this is a firewall issue, not a basic FaceTime problem.

• Using non-standard sshd port after 10.8 upgrade

  After spending hours tracking down this solution as a result of losing my ssh settings after the upgrade to Mountain Lion, I thought it might be useful to post the steps taken to restore the configuration I used with Snow Leopard.
  Changing the sshd default listening port
  Disclaimer: This tutorial is specific to Mountain Lion (OS X 10.8). I was able to accomplish this using Snow Leopard (OS X 10.6) in fewer steps, but upgrading required this more involved solution. 
  Steps:
  1.) You must first enable the root user account in order to change the relevant files. This can be done from the terminal, or by going to System Preferences --> Users & Groups. Once there, click on 'Login Options' at the bottom of the Current User list, and 'Join' where it says 'Network Account Server'.
  This will bring up a smaller window. Click on 'Open Directory Utility' at the bottom. You will be prompted for your admin password. Now go to the 'Edit' tab at the top of the screen and toggle down to 'Enable Root User'.  You will be prompted to enter your admin password twice.
  2.) Log out of your regular user account. At the log in screen you will now see an additional entry for 'other'. Click on that and log in with the username 'root' and your admin password. If are inexperienced as a root-level user, be careful as you can cause problems to your system can be difficult to undo.
  Once in your root account, the first step is to create a new 'service definition' in the etc/services file. Open the file with text editor of choice and scroll to the current entry for sshd listening port, which will look like this:
  ssh    22/udp    # SSH Remote Login Protocol
  ssh    22/tcp     # SSH Remote Login Protocol
  Overwrite the '22' with the port number you would like sshd to listen on:
  ssh    12345/udp   # SSH Remote Login Protocol
  ssh    12345/tcp    # SSH Remote Login Protocol
  *12345 being our hypothetical, non-standard port.
  It is important to note that the new port number will not take by simply adding a new uncommented line to the file (I tried), unless of course you comment the original ssh entries. Easiest way is just to overwrite what is there already. Save changes.
  3.) You now need to edit the ssh.plist file, which is located at /System/Library/LaunchDaemons/ssh.plist. A word to those familiar with Linux/BSD environments: changing the default port in the sshd_config file, which exists in OS X, does NOT change the listening port. Simply changing the default port, saving the config file, and restarting the server (the sensible way) won't work. The OS X sshd server (openssh) is configured to get launch instructions from the ssh.plist file, as opposed to sshd_config. If you are more interested in this aspect of OS X, read up on LaunchDaemons (e.g. launchd).
  Before altering the ssh.plist file, you should save a backup copy in case of mistakes, or if you need to revert back to it in the future. Name your backup file something like original.ssh.plist, etc.
  In the ssh.plist file, locate the SocksServiceName entry and change it from the default:
  <key>SockServiceName</key>
  <string>ssh</string>
  To the following:
  <key>SockServiceName</key>
  <string>$alternate port number</string>
  In our example from above this value would be 12345.
  4.) Save your changes, and exit ssh.plist. You now need to move the backup file you created (original.ssh.plist) out of the System/Library/LaunchDaemons path.
  The updated sshd port will not take until you have only one ssh.plist file in the LaunchDaemons directory - this has to do with how launchd is configured to load files which is outside the scope of the current discussion.  (*If you've found a way around this, please share.) 
  5.) Restart the sshd server. Easiest way to accomplish this is going to System Preferences --> Sharing and clicking off 'Remote Login', then clicking back on it. 
  6.) Test the configuration by logging into the machine running the sshd server from another host using:
  ssh username@ipaddress -p 12345
  There are a few good tutorials out there that capture some of these steps, but many are dated and/or incomplete. If you are running a standard setup of OS X 10.8, this should work for you.
  Of course, don't be fooled into thinking that changing the default listening port from the ubiquitously-probed 22 equates to actual security. At best, it will cut down on the number of dubious connection attempts and probing.

  Hi all, above helped me change the sshd port number, thank you very much.
  Just upgraded to OS X 10.9.3 on my macbook pro.
  My findings were:
  Step 1(become a root user or sudo)
  Step 2 (/etc/services)
  This may not be required unless you want ssh to work without the "-p XXXX" option to connect to other ssh hosts.  I favor such as "ssh -p 2222 user@hostname" just to be sure I know what I am doing and also to leave ssh known port as its default "22".
  Step 3 (/System/Library/LaunchDaemons/ssh.plist)
  This is required if you want to change the sshd port number, I changed both "ssh" to "2222" in this file.
  Step 4 (launchctl)
  Below is a must as I understood:
  launchctl unload /System/Library/LaunchDaemons/ssh.plist
  launchctl load /System/Library/LaunchDaemons/ssh.plist
  it should be already working with the new port number.
  You can "ssh -p 2222 user@localhost" in the console terminal and see if its working.
  Since I am no expert on MacOS X, and it is a macbook pro that I am using, I also rebooted the system and changes were reflected permanantly.
  Thank you guys!

• Mailserver using non-standard smtp port

  how do i set SMTP to accept connections on a non-standard port (i.e. 2525 or something)?
  i'm running a mail server and my residential isp (comcast) after ten years of peaceful coexistence decided that they need to block port 25. so i am setting up a commercial store/forward mail relay service. all i need to do is set up my snow leopard server to accept incoming connections on a port other than 25. sounds easy. it is mentioned in the docs thusly:
  "By default SMTP is enabled on port 25. If port 25 is blocked in your environment,
  you need to change the port SMTP uses."
  ... but that's all i can find. specifically, it doesn't say exactly how to change the port.
  any help appreciated.

  following up to my own post. hoping this info may be useful for others who face the same issue who are running a server and then having email ports blocked by their ISP's.
  i worked around this by signing up for a mail relay service (i use the one provided by dnydns.com). they forward incoming mail for my domain over a nonstandard port.
  since i never received an answer to my question about how to make SnowLeopardServer email server accept SMTP connections on other ports, i simply used port mapping in my router (Airport Extreme) to redirect this port (i used 2525) on my WAN address to port 25 on my server - an acceptable workaround.
  i also did the same port redirection for the other "standard alternative" smtp ports, 465 and 587.
  since my ISP blocks port 25 in both directions, i also needed to find a work-around for outgoing mail as well. previously, my mail server simply forwarded to my ISP's smtp server (using the default port 25). here the Server Admin interface worked but with one "trick": under Mail>Settings>General, i left the box for "Relay outgoing mail through host:" checked, and in the field there i put "[smtp.myispdomain.net]:587" (that is with square brackets, and a colon, but no double-quotes - and of course, use your own smtp server's domain name). afaik this is not documented anywhere in the apple-provided docs, but i found the corresponding docs for postfix, and reverse-engineered it.
  so now i can read (via IMAP) and send (via SMTP) mail from my home server, both when i am on my LAN and when i am accessing remotely, and effectively work around the bi-directional block of port 25 imposed by my ISP.
  i'd still like to know if there is a method of configuring smtp to accept connections on ports other than 25. i can see how to do it by editing /etc/postfix/master.cf, but afaik that file gets overwritten by Server Admin...

• How can ftp service on non-standard port be load balanced using Cisco ACE.

  How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port

  Hi Samarjit,
  you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
  Regards
  Abijith

• Using the CSM to setup a HTTPS session on non-standard ports?

  Hi Guys,
  One of our clients wants to setup an SSL connection on a non-standard SSL port i.e. 4444 to begin with. Here the sever handles the SSL encryption / deccryption) instead of the SSL module.
  I've found the following config to work well:
  serverfarm FARM-MOBS-4444
  nat server
  no nat client
  predictor leastconns
  failaction purge
  real 130.194.12.81 4444
  inservice
  real 130.194.12.84 4444
  inservice
  probe MOBS-4444
  sticky 108 netmask 255.255.255.255 timeout 60
  vserver VMOBS-PROD-4444
  virtual 130.194.11.51 tcp https
  serverfarm FARM-MOBS-4444
  sticky 60 group 108
  persistent rebalance
  inservice
  With the above setup the CSM redirects the SSL connections (recieved on 443) to port 4444 on the sever and maintains this for the duration of the session.
  While the above setup works, is it possible to configure the VIP to use a HTTPS port other than 443 (which is default)? This would then allow for separate HTTPS paths to be setup on non-standard ports. I ask this since the client also wants to setup a HTTPS path on port 4443 as well.
  Any ideas would be useful.
  thanks
  Sheldon

  Hi Martin,
  Do you mean using the SSL module to perform the encryption / decryption? If so i've tried this and it does work without an issue.
  I was just wondering if it were possible to have a VIP setup where the HTTPS port is not 443 but say 4443, where the encryption / decryption is done by the real servers themselves.
  thanks
  Sheldon

• Cannot setup work email using SSL on non standard port

  All,
    I've been trying now for a few hours to setup a corporate email account.  I've tried via the curve and via the bb internet service but in both cases since the service cannot detect the settings since a non standard port is in use I cannot use the the service and am considering returning the device to go with another easier to use device.  I love the hardware design but if I cannot setup my corporate email this is no good to me.  I'd appreciate any tips anyone has.
  Thanks,
    Frustrated.

  Your corprorate email account is an exchange server or what?
  You are on a personal BIS plan?
  1. If any post helps you please click the below the post(s) that helped you.
  2. Please resolve your thread by marking the post "Solution?" which solved it for you!
  3. Install free BlackBerry Protect today for backups of contacts and data.
  4. Guide to Unlocking your BlackBerry & Unlock Codes
  Join our BBM Channels (Beta)
  BlackBerry Support Forums Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Accessing websites running on non-standard ports or with self-signed ssl certs?

  I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
  Anyone else noticed this?

  If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
  That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
  If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
  In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
  In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

• Cisco Secure ACS 5.6 Backup to FTP server listening on non-standard ports

  When defining a software repository from CLI or GUI, I have not been able to define the custom port that our FTP server is listening on.  Does ACS support the use of custom ports for FTP?

  Hi Anthony,
  I don't thing so it will support non-standard ports as the options are only Disk,FTP,SFTP,TFTP and NFS.
  Regards,
  Chris

• Running the BO servers on non standard ports XIR2

  Hi all,
  I need to know how to get the bo servers to register with the cms when it is running on a non-standard port. The port I'm using is 6409, so I have tried adding -port 6409 to the command line string, but that didn't work.
  I'm running two instanceson BO on the box hence the need for non standard ports.
  Any thoughts?
  TIA,
  Jeff

  -port switch is the correct way to accomplish this.
  So your CMS will have -port 6409, the rest of servers will have -ns cmsname:6409 in their comand line.
  You might want to look at adding -requestport switches as well....
  Please review Admin guide for more details on usage of those switches.

• Doing proper NAT to FTP connections on non-standard port

  Router 1712, IOS 12.3
  There is an article from Cisco, "Using Non-Standard FTP Port Numbers with NAT".
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml
  It explains how to enable NATting router to perform proper translation of NAT-sensitive protocols, in this case FTP.
  The article assumes that the FTP server in question is on the inside interface of the router.
  The configuration proposed by the article is as follows:
  interface Ethernet0
  ip address 10.1.1.2 255.255.255.0
  ip nat inside
  interface Serial0
  ip address 192.168.10.1 255.255.255.252
  ip nat outside
  ip nat service list 10 ftp tcp port 2021
  ip nat inside source static 10.1.1.1 20.20.20.1
  access-list 10 permit 10.1.1.1
  In my case, the FTP server in question is on the outside interface. The router is performing source NAT for outbound connections. An example of my config is below:
  interface Ethernet0
  ip address 12.34.56.1 255.255.255.0
  ip nat outside
  interface Vlan324
  ip address 10.1.1.2 255.255.255.0
  ip nat inside
  ip nat service list 10 ftp tcp port 2021
  ip nat inside source static 10.1.1.100 12.34.56.100
  access-list 10 permit 12.34.56.200
  With this configuration, Layer 3 NAT is working. I'm able to establish an FTP control channel and issue FTP commands. However, I think that the IP addresses inside FTP control channel are not translated properly (to 12.34.56.100). Therefore, the FTP data channel is not working.
  I tried to enable the following debug, however didn't see any entries related to FTP control channel translation:
  debug ip nat
  debug ip nat detailed
  debug ip snat
  debug ip snat detailed
  debug ip ftp
  debug ftpserver
  My question is:
  Is the "ip nat service list <acl> ftp tcp <port>" command supposed to work when the FTP server in question is on the outside interface of the translating router ?

  Hi,
  I see that this question was asked quite some time ago but I have come across the same issue, i.e when the server is on the outside interface the ip in the "PORT" command from the client is not translated.
  Did you ever get a fix for it?
  Thanks