Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec through Pix\FWSM

Hi

I'm trying to allow IPSec connections through our FWSM but having a few difficulties.

The connection is from a cisco VPN client to an IOS router.

basically the following configuration works fine and I can VPN through the firewall:

access-list INBOUND extended permit ip any 192.168.1.1 (the router)

but is obviously totally insecure.

afaik the following should work but does not

access-list INBOUND extended permit udp any eq isakmp 192.168.1.1 eq isakmp

access-list INBOUND extended permit esp any 192.168.1.1

access-list INBOUND extended permit ah any 192.168.1.1

(btw - Ip address is fake, there is no NAT or PAT in use)

I'm obviously missing something but any references I've see suggest I just need to allow isakmp, esp and ah through.

*EDIT* actually just tested this from the office and the above rules are working ok, but they don't work when i try from home so it must be some sort of NAT-traversal problem

anyone know how this should be setup - FWSM won't allow me to enable NAT-traversal unless I configure isakmp on itself.

  • VPN
3 REPLIES
New Member

Re: IPSec through Pix\FWSM

Use the following ACL and enable the NAT-T on router, its better to post the topology.

access-list INBOUND extended permit udp any 192.168.1.1 eq isakmp

access-list INBOUND extended permit udp any 192.168.1.1 eq non500-isakmp

access-list INBOUND extended permit esp any 192.168.1.1

access-list INBOUND extended permit ah any 192.168.1.1

New Member

Re: IPSec through Pix\FWSM

thanks - actually I found the solution last night. At home I'm behind a NAT router - in order for NAT-Traversal to work UDP port 4500 has to be open on the firewall

so the following setup now seems to work for all users:

access-list INBOUND extended permit udp any 192.168.1.1 eq isakmp

access-list INBOUND extended permit udp any 192.168.1.1 eq 4500

access-list INBOUND extended permit esp any 192.168.1.1

(don't seem to need to permit AH - when I did have the rule there it wasn't getting any hits)

NAT-T seems to be enabled on the terminating router by default.

New Member

Re: IPSec through Pix\FWSM

eq non500-isakmp and eq 4500 are same and if you are not using Ah then ofcourse its not neccesary

516
Views
0
Helpful
3
Replies
This widget could not be displayed.