Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
2
Replies

fixup protocol esp-ike

m.rainer
Level 1
Level 1

‎05-22-2003 05:53 AM - edited ‎03-09-2019 03:22 AM

Hi,

Does anybody know how the "fixup protocol esp-ike" really works? I only found a description on CCO "Configuring Application Inspection". And thats really poor.

Whats going on here?!

Thanks a lot Markus

Labels:
0 Helpful
2 Replies 2

cjrusin
Level 1
Level 1

‎05-22-2003 09:08 AM

Hey there,

I was scratching my head last week about the same question and figured out this much.

fixup protocol esp-ike allows only one vpn client on the inside of the PIX to attach to a vpn device( VPN 3005,3030, PIX, etc) on the outside.

What it does is it creates xlates for esp & isakmp (udp 500) for that client.

However, there is one more step. You must allow ESP packets in to the client by means of an ACL.

Ex: access-list outside_acl permit esp any any.

You might want to lock down the ACL a bit more.

I just wanted to point out the 2nd step with a gereric ACL for clarity.

Hope this helps,

Chris Rusin

0 Helpful

m.rainer
Level 1
Level 1
In response to cjrusin

‎05-22-2003 11:06 PM

Hi Chris,

Thanks a lot for reply.

So it isn't a fixup. It is the same feature that ervery IOS router provides with GRE (PPTP clients) on the inside network that is doing PAT.

The first client works fine because the unidirectional incoming connection for GRE is forwarded to the first outbound connection. (=first client that is doing PPTP outgoing)

In my opinion this fixup is a joke, isn't it?

Best regards Markus

0 Helpful
Customers Also Viewed These Support Documents