Information Technology Services

Firewalls and VPN

You may need to turn off your personal firewall software in order to successfully use the Virtual Private Network (VPN). If you are running Windows XP, you may need to ensure that the XP firewall is not enabled. The VPN may not function properly if ZoneAlarm is installed. The VPN already contains a firewall that you can activate:

1. Right-click on the VPN icon in your System Tray.
2. Choose Stateful Firewall and then confirm that this option has been checked.
3. Once enabled, the Stateful Firewall will protect your computer from inbound traffic even if the VPN client isn't running.

Windows XP Sevice Pack 2 Firewall and VPN

With the release of Windows XP Service Pack 2 (SP2) in August 2004, a built-in Firewall was included.

Note: A Firewall may be either a program or a hardware device that "filters" information coming into your computer or office network. If an incoming packet of information is flagged by the Firewall's filters, it is not allowed through.

You may want to turn off Windows XP Firewall, because the Cisco VPN client includes a firewall that is active if the VPN client is running (that is, if you can see the "lock" icon on the bottom right of your screen, whether or not you have an active VPN connection). However, if you prefer to run both firewalls, the following procedure may allow that. This page represents all of the support UNCG is able to offer for firewalls.

The default configuration of the Windows Firewall control panel in Windows XP SP2 prevents the Cisco VPN client software from communicating successfully with the VPN server if you are using the IPSec over TCP choice. The needed packets can't be exchanged. To be able to successfully connect with the current Cisco VPN Client version, you have the following three options. These workarounds should be applied in order. When you are able to connect with the Cisco VPN client, you may stop.

Option 1 - Open UDP Port 62515

1. Click Start, and then click Control Panel.
2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
3. In the Windows Firewall control panel, click the Exceptions tab.
4. Click Add Port.
5. In the Name field, type VPN_UDP_62515.
6. In the Port number field, type 62515.
   
7. Click the UDP radio button.
8. Click OK to add the port. It should appear in the list of Programs and Services and it should be checked.
9. Click OK to close the Windows Firewall control panel.
10. Attempt to connect with the Cisco VPN Client. If successful, you are finished.

Option 2 - Switch to IPSec over UDP (NAT/PAT)

Note: If you are unable to connect with the IPSec over TCP option, these steps will change your VPN Client software to the IPSec over UDP (NAT/PAT) choice.

1. Open the VPN dialer by double-clicking on the desktop shortcut (if you have one); or, click the Start menu, then All Programs, Cisco Systems VPN Client, and VPN Dialer.
2. When the Cisco Systems VPN Client window opens, click the Options drop-down list button and select Properties.
3. Click the IPSec over UDP (NAT/PAT) radio button.
   
4. Click OK.
5. Attempt to connect with the Cisco VPN Client. If successful, you are finished.

Option 3 - Turn off the Windows XP SP 2 Firewall

Note: If you are unable to connect with any of the above options, these steps will turn off the Windows Firewall. You will then be missing out on an important new addition to Windows XP. But, you should be able to then use the VPN Client software as you did prior to the installation of SP 2.

1. Click Start, and then click Control Panel.
2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
3. Click the Off (not recommended) radio button.
4. Click OK to close the Windows Firewall control panel.
5. Attempt to connect with the Cisco VPN Client.