Today I was setting up a VPN server and had to figure out what ports and protocols to enable on our Cisco PIX 515E firewall. Here they are:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.
L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.
Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500)
access-list OUTSIDE permit gre any host OUTSIDEIP
access-list OUTSIDE permit tcp any host OUTSIDEIP eq pptp
access-list OUTSIDE permit udp any host OUTSIDEIP eq 1701
access-list OUTSIDE permit udp any host OUTSIDEIP eq 4500
access-list OUTSIDE permit udp any host OUTSIDEIP eq isakmp
(edited to update UDP port 5500 to 4500 as noted in the comments)