06-27-2008 01:17 PM - edited 03-11-2019 06:06 AM
Has anyone had issues where guest users would come into your company network to VPN out to their own company network but is not able because the return traffic back to that user comes back as ESP instead of IP?
06-27-2008 07:39 PM
sure, it is similar when u have a pemiter router and ur vpn termination behined it u have to permit esp and also udp isakmp
try to permit it from any source to ur inside network to allow them establish thier vpn tunnels
rate if useful
thanks
06-29-2008 08:42 AM
I'm wondering if there is a more graceful way of resolving this issue besides permitting ESP for any source on the outside network to the inside network.
Is there a way that the FWSM will allow only particular return ESP traffic based on previous outbound IPsec VPN tunnel negotiation attempts?
When looking at the options for protocols when configuring ACLs, I noticed that one of the protocols was IPSec. For example, access-list [word] extended permit [protocol], where one of the options for protocol was IPSEC. In what situation would this be used? Can this be used to provide stateful inspection of outbound IPSec VPN tunnel negotiation attempts ?
06-29-2008 04:41 PM
ur idea is right
but i think it is not available with fwsm
try first to allow esp and isakmp from the inside
and try this feature which is available in ASA
called ipsec passthrough
Firewall(config)# policy-map type inspect ipsec-pass-thru ipsec_pmap_name
Firewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]
06-29-2008 08:05 PM
hi there
try this and i am sure gonna work and more secure than first sujestion i've given to u
make an ACL that permit esp in inbound direction the source address is the vpn termination device that ur vpn client use and the destination is any
put it in in ur outside interface
also permit esp and isakmp any any on ur inside interface
by the way do u use PAT?
good luck
rate if helpfule,
06-30-2008 09:52 AM
I already have an ACL in the inbound direction for particular source address that are VPN termination devices.
06-30-2008 11:01 AM
You are right about the FWSM not having the IPSec inspection feature where as PIX version 6.x does.
"fixup protocol esp-ike" ...which is not available in FWSM.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: