Guest Users attempting to VPN out are Denied

Unanswered Question
Jun 27th, 2008
User Badges:

Has anyone had issues where guest users would come into your company network to VPN out to their own company network but is not able because the return traffic back to that user comes back as ESP instead of IP?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Fri, 06/27/2008 - 19:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

sure, it is similar when u have a pemiter router and ur vpn termination behined it u have to permit esp and also udp isakmp

try to permit it from any source to ur inside network to allow them establish thier vpn tunnels


rate if useful


thanks

yuchenglai Sun, 06/29/2008 - 08:42
User Badges:

I'm wondering if there is a more graceful way of resolving this issue besides permitting ESP for any source on the outside network to the inside network.


Is there a way that the FWSM will allow only particular return ESP traffic based on previous outbound IPsec VPN tunnel negotiation attempts?


When looking at the options for protocols when configuring ACLs, I noticed that one of the protocols was IPSec. For example, access-list [word] extended permit [protocol], where one of the options for protocol was IPSEC. In what situation would this be used? Can this be used to provide stateful inspection of outbound IPSec VPN tunnel negotiation attempts ?

Marwan ALshawi Sun, 06/29/2008 - 16:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ur idea is right


but i think it is not available with fwsm

try first to allow esp and isakmp from the inside


and try this feature which is available in ASA

called ipsec passthrough


Firewall(config)# policy-map type inspect ipsec-pass-thru ipsec_pmap_name


Firewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]



Marwan ALshawi Sun, 06/29/2008 - 20:05
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi there


try this and i am sure gonna work and more secure than first sujestion i've given to u


make an ACL that permit esp in inbound direction the source address is the vpn termination device that ur vpn client use and the destination is any


put it in in ur outside interface

also permit esp and isakmp any any on ur inside interface


by the way do u use PAT?


good luck

rate if helpfule,


yuchenglai Mon, 06/30/2008 - 09:52
User Badges:

I already have an ACL in the inbound direction for particular source address that are VPN termination devices.

yuchenglai Mon, 06/30/2008 - 11:01
User Badges:

You are right about the FWSM not having the IPSec inspection feature where as PIX version 6.x does.


"fixup protocol esp-ike" ...which is not available in FWSM.

Actions

This Discussion