01-22-2008 01:38 PM - edited 03-11-2019 04:52 AM
What's the conf required on FWSM to disable VPN/IPSEC traffic inspection or to allow VPN traffic explicitly?
01-22-2008 03:30 PM
Hi Aksher
no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs
access-list inside_access_in permit gre any host externalVPNserver
access-list inside_access_in permit tcp any host externalVPNserver eq pptp
or if you like, you can specify the source and set destination as any
Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.
Regards
01-22-2008 04:28 PM
But this is for VPDN setup know???In my case
I am using remote VPN client and no PPTP.
01-23-2008 07:39 AM
Ah, I misunderstood your question.
In your case, this is usually resolved via authorization (Like f you have a RADIUS or TACACS you can disable the specific user vpn remote access), but following can be tried.
Ipsec over UDP uses port 4500 and IPsec over TCP uses 10000. You can block these ports to specific resources like
access-list outside_access_in deny udp host x.x.x.x interface outside eq 4500
access-list outside_access_in deny tcp host x.x.x.x interface outside eq 10000
x.x.x.x is the global IP of the VPN client
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: