Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

URGENT

What's the conf required on FWSM to disable VPN/IPSEC traffic inspection or to allow VPN traffic explicitly?

3 REPLIES

Re: URGENT

Hi Aksher

no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs

access-list inside_access_in permit gre any host externalVPNserver

access-list inside_access_in permit tcp any host externalVPNserver eq pptp

or if you like, you can specify the source and set destination as any

Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.

Regards

Community Member

Re: URGENT

But this is for VPDN setup know???In my case

I am using remote VPN client and no PPTP.

Re: URGENT

Ah, I misunderstood your question.

In your case, this is usually resolved via authorization (Like f you have a RADIUS or TACACS you can disable the specific user vpn remote access), but following can be tried.

Ipsec over UDP uses port 4500 and IPsec over TCP uses 10000. You can block these ports to specific resources like

access-list outside_access_in deny udp host x.x.x.x interface outside eq 4500

access-list outside_access_in deny tcp host x.x.x.x interface outside eq 10000

x.x.x.x is the global IP of the VPN client

130
Views
0
Helpful
3
Replies
CreatePlease to create content