cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
0
Helpful
6
Replies

Guest Users attempting to VPN out are Denied

yuchenglai
Level 1
Level 1

Has anyone had issues where guest users would come into your company network to VPN out to their own company network but is not able because the return traffic back to that user comes back as ESP instead of IP?

6 Replies 6

Marwan ALshawi
VIP Alumni
VIP Alumni

sure, it is similar when u have a pemiter router and ur vpn termination behined it u have to permit esp and also udp isakmp

try to permit it from any source to ur inside network to allow them establish thier vpn tunnels

rate if useful

thanks

I'm wondering if there is a more graceful way of resolving this issue besides permitting ESP for any source on the outside network to the inside network.

Is there a way that the FWSM will allow only particular return ESP traffic based on previous outbound IPsec VPN tunnel negotiation attempts?

When looking at the options for protocols when configuring ACLs, I noticed that one of the protocols was IPSec. For example, access-list [word] extended permit [protocol], where one of the options for protocol was IPSEC. In what situation would this be used? Can this be used to provide stateful inspection of outbound IPSec VPN tunnel negotiation attempts ?

ur idea is right

but i think it is not available with fwsm

try first to allow esp and isakmp from the inside

and try this feature which is available in ASA

called ipsec passthrough

Firewall(config)# policy-map type inspect ipsec-pass-thru ipsec_pmap_name

Firewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]

hi there

try this and i am sure gonna work and more secure than first sujestion i've given to u

make an ACL that permit esp in inbound direction the source address is the vpn termination device that ur vpn client use and the destination is any

put it in in ur outside interface

also permit esp and isakmp any any on ur inside interface

by the way do u use PAT?

good luck

rate if helpfule,

I already have an ACL in the inbound direction for particular source address that are VPN termination devices.

You are right about the FWSM not having the IPSec inspection feature where as PIX version 6.x does.

"fixup protocol esp-ike" ...which is not available in FWSM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: