I have some users behind my FWSM who want to be able to initiate VPN using the Cisco VPN client to external locations.
UDP and TCP are allowed outbound, and the FWSM obviously handles the return traffic. So the IKE tunnel establishes OK and authentication takes place without any problem.
However once the tunnel is established no traffic flows. Testing and netflow monitoring would suggest this is because *return* ESP traffic is being blocked by the FWSM.
If I add a "Permit esp any any" rule to the inbound access list then everything works fine, but I'm not happy with having such an non-specific rule there.
Surely the FWSM should be able to recognise IKE sessions between 2 points and then allow parallel ESP traffic between the same points! On the pix there is a "fixup esp-ike" command but there is no equivalent on the FWSM.
Anyone any ideas?