https://community.cisco.com/t5/network-security/urgent/m-p/896166#M956595 <HTML><HEAD></HEAD><BODY><P> Hi Aksher</P><P> no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs</P><P></P><P>access-list inside_access_in permit gre any host externalVPNserver</P><P>access-list inside_access_in permit tcp any host externalVPNserver eq pptp</P><P></P><P>or if you like, you can specify the source and set destination as any</P><P></P><P>Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.</P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 22 Jan 2008 23:30:44 GMT Alan Huseyin Kayahan 2008-01-22T23:30:44Z https://community.cisco.com/t5/network-security/urgent/m-p/896165#M956594 <P>What's the conf required on FWSM to disable VPN/IPSEC traffic inspection or to allow VPN traffic explicitly?</P> Mon, 11 Mar 2019 11:52:02 GMT https://community.cisco.com/t5/network-security/urgent/m-p/896165#M956594 aksher 2019-03-11T11:52:02Z https://community.cisco.com/t5/network-security/urgent/m-p/896166#M956595 <HTML><HEAD></HEAD><BODY><P> Hi Aksher</P><P> no fixup protocol pptp command will disable the inspection. For allowing to specific external host from inside, you need the following ACLs</P><P></P><P>access-list inside_access_in permit gre any host externalVPNserver</P><P>access-list inside_access_in permit tcp any host externalVPNserver eq pptp</P><P></P><P>or if you like, you can specify the source and set destination as any</P><P></P><P>Keep in mind that if you dont have an existing inside_access_in, then you should specify the permitted traffic in this acl since this blocks the rest of the traffic from inside to outside.</P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 22 Jan 2008 23:30:44 GMT https://community.cisco.com/t5/network-security/urgent/m-p/896166#M956595 Alan Huseyin Kayahan 2008-01-22T23:30:44Z https://community.cisco.com/t5/network-security/urgent/m-p/896167#M956596 <HTML><HEAD></HEAD><BODY><P>But this is for VPDN setup know???In my case </P><P>I am using remote VPN client and no PPTP. </P></BODY></HTML> Wed, 23 Jan 2008 00:28:20 GMT https://community.cisco.com/t5/network-security/urgent/m-p/896167#M956596 aksher 2008-01-23T00:28:20Z https://community.cisco.com/t5/network-security/urgent/m-p/896168#M956597 <HTML><HEAD></HEAD><BODY><P> Ah, I misunderstood your question. </P><P> In your case, this is usually resolved via authorization (Like f you have a RADIUS or TACACS you can disable the specific user vpn remote access), but following can be tried.</P><P> Ipsec over UDP uses port 4500 and IPsec over TCP uses 10000. You can block these ports to specific resources like</P><P></P><P>access-list outside_access_in deny udp host x.x.x.x interface outside eq 4500 </P><P>access-list outside_access_in deny tcp host x.x.x.x interface outside eq 10000 </P><P></P><P> x.x.x.x is the global IP of the VPN client</P></BODY></HTML> Wed, 23 Jan 2008 15:39:57 GMT https://community.cisco.com/t5/network-security/urgent/m-p/896168#M956597 Alan Huseyin Kayahan 2008-01-23T15:39:57Z