Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ESP Protocol – Administrative Cost verses Risks

We have users who are on our private network behind our PIX 520. Users can connect to our clients PIX firewalls using the Cisco VPN Client if we perform the following steps:

1. Reserve a private IP address for their workstation on the DHCP server.

2. Statically assign a public IP address to the private IP address reserved.

3. Create a conduit allowing the ESP protocol from the clients’ public IP address on their PIX to the public IP address setup in step 2.

Question- what are the risks if ESP protocol were opened from any public IP address to any host behind our PIX? I am not comfortable opening this up but have not been able to find any details regarding potential risks that have satisfied management. Any help would be welcome. Thanks

  • Other Security Subjects
Cisco Employee

Re: ESP Protocol – Administrative Cost verses Risks

The risks are minimal really, but I'm always hesitant to open any hole in a firewall unless you have to. Opening up ESP to any internal host is really not going to get anyone anywhere, because they first have to establish a tunnel using ISAKMP, so if you don't open that up you'll be pretty safe.

The reason you don't need to create a conduit for ISAKMP (in case you're wondering), is that ISAKMP is a UDP protocol. The PIX automatically creates conduits for TCP or UDP packets as they go out (from inside to outside), and allows those packets to come back in. ESP on the other hand, sits right on top of IP (is not TCP/UDP based),and so the PIX doesn't open a hole for that traffic to come back in, hence you have to specifically create a conduit for it.

As I said though, if you're now talking about traffic originating from the outside and coming in, you've only allowed ESP and not ISAKMP, so the risk of anyone starting a VPN tunnel to an internal host is negligible.

As I also said though, it is another hole in your firewall, so the more secure you can make it, by specifying the source and/or destination addresses, then the better that will be.