Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM, VPN Client, ESP passthrough

I have some users behind my FWSM who want to be able to initiate VPN using the Cisco VPN client to external locations.

UDP and TCP are allowed outbound, and the FWSM obviously handles the return traffic. So the IKE tunnel establishes OK and authentication takes place without any problem.

However once the tunnel is established no traffic flows. Testing and netflow monitoring would suggest this is because *return* ESP traffic is being blocked by the FWSM.

If I add a "Permit esp any any" rule to the inbound access list then everything works fine, but I'm not happy with having such an non-specific rule there.

Surely the FWSM should be able to recognise IKE sessions between 2 points and then allow parallel ESP traffic between the same points! On the pix there is a "fixup esp-ike" command but there is no equivalent on the FWSM.

Anyone any ideas?

Hall of Fame Super Blue

Re: FWSM, VPN Client, ESP passthrough

Hi Liam

Are you running v3.x on your FWSM. The fixup esp-ike command is not supported in version 7.x of the PixOS so it won't be there.

I may be mistaken but i don't think that using the fixup esp-ike means you don't have to allow ESP through your firewall anyway. This fixup is to allow one vpn tunnel to function even if the firewall is doing PAT but i still think you would need to allow ESP back through.

Do you have the external locations. How many are there. Could you not include these in an object-group and then only allow ESP from these addresses ?

Apologies if i have misunderstood


Community Member

Re: FWSM, VPN Client, ESP passthrough

I'm using v3.1 though that fixup isn't available in v2.3 either.

I do know where this particular VPN is terminating, so I can put in a more specific access list, but there is likely to be further demand for this and I'm just surprised that the FWSM can't handle ESP in a session-based manner.

Hall of Fame Super Blue

Re: FWSM, VPN Client, ESP passthrough

Hi Liam

Yes i understand your frustration. Trouble is stateful firewalls as a whole only do proper session control for TCP connections. They do a sort of pseudo control for UDP based on timeouts.

For protocols at layer 3 eg ICMP, ESP there really is no state to keep so you have to allow them through the firewall independently.

Can you not ask the user what IP address they connect to.

Sorry can't be more help


CreatePlease to create content