Guest Users attempting to VPN out are Denied

Unanswered Question
Jun 27th, 2008

Has anyone had issues where guest users would come into your company network to VPN out to their own company network but is not able because the return traffic back to that user comes back as ESP instead of IP?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Fri, 06/27/2008 - 19:39

sure, it is similar when u have a pemiter router and ur vpn termination behined it u have to permit esp and also udp isakmp

try to permit it from any source to ur inside network to allow them establish thier vpn tunnels

rate if useful


yuchenglai Sun, 06/29/2008 - 08:42

I'm wondering if there is a more graceful way of resolving this issue besides permitting ESP for any source on the outside network to the inside network.

Is there a way that the FWSM will allow only particular return ESP traffic based on previous outbound IPsec VPN tunnel negotiation attempts?

When looking at the options for protocols when configuring ACLs, I noticed that one of the protocols was IPSec. For example, access-list [word] extended permit [protocol], where one of the options for protocol was IPSEC. In what situation would this be used? Can this be used to provide stateful inspection of outbound IPSec VPN tunnel negotiation attempts ?

Marwan ALshawi Sun, 06/29/2008 - 16:41

ur idea is right

but i think it is not available with fwsm

try first to allow esp and isakmp from the inside

and try this feature which is available in ASA

called ipsec passthrough

Firewall(config)# policy-map type inspect ipsec-pass-thru ipsec_pmap_name

Firewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]

Marwan ALshawi Sun, 06/29/2008 - 20:05

hi there

try this and i am sure gonna work and more secure than first sujestion i've given to u

make an ACL that permit esp in inbound direction the source address is the vpn termination device that ur vpn client use and the destination is any

put it in in ur outside interface

also permit esp and isakmp any any on ur inside interface

by the way do u use PAT?

good luck

rate if helpfule,

yuchenglai Mon, 06/30/2008 - 09:52

I already have an ACL in the inbound direction for particular source address that are VPN termination devices.

yuchenglai Mon, 06/30/2008 - 11:01

You are right about the FWSM not having the IPSec inspection feature where as PIX version 6.x does.

"fixup protocol esp-ike" ...which is not available in FWSM.


This Discussion