This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN / NAT / ISP / HOTSPOTS

we have just been testing our always on vpn connection which works great.

however we have noticed that some staff have had issues connecting, and we ran this command on the firewall

tail -f packetfilter.log | grep -i 

to see what was happening it turns out that when connecting over a hotspot the source port was something like 30338 or just really high in the reserved port list.

so we have changed the NAT rule on Matching condition that the source port is 1:65535

which is also the same for the action

we also had to do this for the 4500 port as well

just unsure that this is ok and not a security risk.......

as when connecting via say my isp virgin, i can connect fine no issues and so can my colleagues, however he has created a test network at home and only modified his home isp router to allow ports above open and when he tested with his hotspot it worked fine

I can only assume its the difference within the NAT protocols  

and that effectively i'm trying to force connections to come in on via the source port e.g. 500 and some providers don't like that ??

thanks



This thread was automatically locked due to age.
  • no, that's ok.

    IKE use Port 500 as destination but may use Port 500 or random ports as source.

    ESP with NAT-T use 4500 as destination and random Ports as source.

    To enhance the source port is not a security risk.

    And i have seen connections starting with source-port 500 at the initiator-VPN device but the provider change this to random-source-ports and i have source 0:65535 Ports at the second VPN-Device ...

    ... even though we didn't even use NAT.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Kevin,

    Also, see #5 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA