cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
3
Replies

URGENT

aksher
Level 1
Level 1

What's the conf required on FWSM to disable VPN/IPSEC traffic inspection or to allow VPN traffic explicitly?

3 Replies 3

husycisco
Level 7
Level 7

Hi Aksher

no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs

access-list inside_access_in permit gre any host externalVPNserver

access-list inside_access_in permit tcp any host externalVPNserver eq pptp

or if you like, you can specify the source and set destination as any

Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.

Regards

But this is for VPDN setup know???In my case

I am using remote VPN client and no PPTP.

Ah, I misunderstood your question.

In your case, this is usually resolved via authorization (Like f you have a RADIUS or TACACS you can disable the specific user vpn remote access), but following can be tried.

Ipsec over UDP uses port 4500 and IPsec over TCP uses 10000. You can block these ports to specific resources like

access-list outside_access_in deny udp host x.x.x.x interface outside eq 4500

access-list outside_access_in deny tcp host x.x.x.x interface outside eq 10000

x.x.x.x is the global IP of the VPN client

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: