Cisco 2600 implement ipsec passthrough

Unanswered Question
Aug 4th, 2009
User Badges:

Hello, at work we have :


on our lan we have a ftp server, we have configured vpn ipsec on openbsd using ike(esp) to secure our ftp on internet.

Now, i want to configure my cisco to pass ipsec passthrough packets. Can you help me please?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Tue, 08/04/2009 - 11:25
User Badges:
  • Purple, 4500 points or more

Do you have any access-lists on the router? If not, it will pass everything through. If you have an acl on the outside interface on the router, you'll need to make sure that you allow:


udp 500



cisco24x7 Tue, 08/04/2009 - 13:05
User Badges:
  • Silver, 250 points or more

let say cisco 2600 public ip address is and openBSD firewall external IP facing the cisco router is

and that the cisco router is connected to the OpenBSD firewall is Here is how you do it:

interface f0/0

ip nat outside

ip address

ip access-group 100 in

interface f0/1

ip nat inside

ip address

access-list 100 permit udp any any eq 500 log

access-list 100 permit esp any any log

access-list 100 permit udp any any eq 4500 log

ip nat inside source static udp 500 interface f0/0 500

ip nat inside source static esp interface f0/0

ip nat inside source static udp 4500 interface f0/0 4500

Basically anyone connect to the cisco 2600 will be forward to the OpenBSD firewall for VPN access. This works

for both remote access and L2L VPN.

Easy right?


This Discussion