Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Users attempting to VPN out are Denied

Has anyone had issues where guest users would come into your company network to VPN out to their own company network but is not able because the return traffic back to that user comes back as ESP instead of IP?

6 REPLIES

Re: Guest Users attempting to VPN out are Denied

sure, it is similar when u have a pemiter router and ur vpn termination behined it u have to permit esp and also udp isakmp

try to permit it from any source to ur inside network to allow them establish thier vpn tunnels

rate if useful

thanks

New Member

Re: Guest Users attempting to VPN out are Denied

I'm wondering if there is a more graceful way of resolving this issue besides permitting ESP for any source on the outside network to the inside network.

Is there a way that the FWSM will allow only particular return ESP traffic based on previous outbound IPsec VPN tunnel negotiation attempts?

When looking at the options for protocols when configuring ACLs, I noticed that one of the protocols was IPSec. For example, access-list [word] extended permit [protocol], where one of the options for protocol was IPSEC. In what situation would this be used? Can this be used to provide stateful inspection of outbound IPSec VPN tunnel negotiation attempts ?

Re: Guest Users attempting to VPN out are Denied

ur idea is right

but i think it is not available with fwsm

try first to allow esp and isakmp from the inside

and try this feature which is available in ASA

called ipsec passthrough

Firewall(config)# policy-map type inspect ipsec-pass-thru ipsec_pmap_name

Firewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]

Re: Guest Users attempting to VPN out are Denied

hi there

try this and i am sure gonna work and more secure than first sujestion i've given to u

make an ACL that permit esp in inbound direction the source address is the vpn termination device that ur vpn client use and the destination is any

put it in in ur outside interface

also permit esp and isakmp any any on ur inside interface

by the way do u use PAT?

good luck

rate if helpfule,

New Member

Re: Guest Users attempting to VPN out are Denied

I already have an ACL in the inbound direction for particular source address that are VPN termination devices.

New Member

Re: Guest Users attempting to VPN out are Denied

You are right about the FWSM not having the IPSec inspection feature where as PIX version 6.x does.

"fixup protocol esp-ike" ...which is not available in FWSM.

180
Views
0
Helpful
6
Replies