FWSM, VPN Client, ESP passthrough

Unanswered Question
May 15th, 2007

I have some users behind my FWSM who want to be able to initiate VPN using the Cisco VPN client to external locations.

UDP and TCP are allowed outbound, and the FWSM obviously handles the return traffic. So the IKE tunnel establishes OK and authentication takes place without any problem.

However once the tunnel is established no traffic flows. Testing and netflow monitoring would suggest this is because *return* ESP traffic is being blocked by the FWSM.

If I add a "Permit esp any any" rule to the inbound access list then everything works fine, but I'm not happy with having such an non-specific rule there.

Surely the FWSM should be able to recognise IKE sessions between 2 points and then allow parallel ESP traffic between the same points! On the pix there is a "fixup esp-ike" command but there is no equivalent on the FWSM.

Anyone any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 05/15/2007 - 23:04

Hi Liam

Are you running v3.x on your FWSM. The fixup esp-ike command is not supported in version 7.x of the PixOS so it won't be there.

I may be mistaken but i don't think that using the fixup esp-ike means you don't have to allow ESP through your firewall anyway. This fixup is to allow one vpn tunnel to function even if the firewall is doing PAT but i still think you would need to allow ESP back through.

Do you have the external locations. How many are there. Could you not include these in an object-group and then only allow ESP from these addresses ?

Apologies if i have misunderstood


liamkennedy Wed, 05/16/2007 - 00:08

I'm using v3.1 though that fixup isn't available in v2.3 either.

I do know where this particular VPN is terminating, so I can put in a more specific access list, but there is likely to be further demand for this and I'm just surprised that the FWSM can't handle ESP in a session-based manner.

Jon Marshall Wed, 05/16/2007 - 00:26

Hi Liam

Yes i understand your frustration. Trouble is stateful firewalls as a whole only do proper session control for TCP connections. They do a sort of pseudo control for UDP based on timeouts.

For protocols at layer 3 eg ICMP, ESP there really is no state to keep so you have to allow them through the firewall independently.

Can you not ask the user what IP address they connect to.

Sorry can't be more help



This Discussion