I have some users behind my FWSM who want to be able to initiate VPN using the Cisco VPN client to external locations.
UDP and TCP are allowed outbound, and the FWSM obviously handles the return traffic. So the IKE tunnel establishes OK and authentication takes place without any problem.
However once the tunnel is established no traffic flows. Testing and netflow monitoring would suggest this is because *return* ESP traffic is being blocked by the FWSM.
If I add a "Permit esp any any" rule to the inbound access list then everything works fine, but I'm not happy with having such an non-specific rule there.
Surely the FWSM should be able to recognise IKE sessions between 2 points and then allow parallel ESP traffic between the same points! On the pix there is a "fixup esp-ike" command but there is no equivalent on the FWSM.
Are you running v3.x on your FWSM. The fixup esp-ike command is not supported in version 7.x of the PixOS so it won't be there.
I may be mistaken but i don't think that using the fixup esp-ike means you don't have to allow ESP through your firewall anyway. This fixup is to allow one vpn tunnel to function even if the firewall is doing PAT but i still think you would need to allow ESP back through.
Do you have the external locations. How many are there. Could you not include these in an object-group and then only allow ESP from these addresses ?
I'm using v3.1 though that fixup isn't available in v2.3 either.
I do know where this particular VPN is terminating, so I can put in a more specific access list, but there is likely to be further demand for this and I'm just surprised that the FWSM can't handle ESP in a session-based manner.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...