Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
0
Helpful
3
Replies

FWSM, VPN Client, ESP passthrough

liamkennedy
Level 1
Level 1

‎05-15-2007 08:00 AM - edited ‎03-11-2019 03:14 AM

I have some users behind my FWSM who want to be able to initiate VPN using the Cisco VPN client to external locations.

UDP and TCP are allowed outbound, and the FWSM obviously handles the return traffic. So the IKE tunnel establishes OK and authentication takes place without any problem.

However once the tunnel is established no traffic flows. Testing and netflow monitoring would suggest this is because *return* ESP traffic is being blocked by the FWSM.

If I add a "Permit esp any any" rule to the inbound access list then everything works fine, but I'm not happy with having such an non-specific rule there.

Surely the FWSM should be able to recognise IKE sessions between 2 points and then allow parallel ESP traffic between the same points! On the pix there is a "fixup esp-ike" command but there is no equivalent on the FWSM.

Anyone any ideas?

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎05-15-2007 11:04 PM

Hi Liam

Are you running v3.x on your FWSM. The fixup esp-ike command is not supported in version 7.x of the PixOS so it won't be there.

I may be mistaken but i don't think that using the fixup esp-ike means you don't have to allow ESP through your firewall anyway. This fixup is to allow one vpn tunnel to function even if the firewall is doing PAT but i still think you would need to allow ESP back through.

Do you have the external locations. How many are there. Could you not include these in an object-group and then only allow ESP from these addresses ?

Apologies if i have misunderstood

Jon

0 Helpful

liamkennedy
Level 1
Level 1
In response to Jon Marshall

‎05-16-2007 12:08 AM

I'm using v3.1 though that fixup isn't available in v2.3 either.

I do know where this particular VPN is terminating, so I can put in a more specific access list, but there is likely to be further demand for this and I'm just surprised that the FWSM can't handle ESP in a session-based manner.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to liamkennedy

‎05-16-2007 12:26 AM

Hi Liam

Yes i understand your frustration. Trouble is stateful firewalls as a whole only do proper session control for TCP connections. They do a sort of pseudo control for UDP based on timeouts.

For protocols at layer 3 eg ICMP, ESP there really is no state to keep so you have to allow them through the firewall independently.

Can you not ask the user what IP address they connect to.

Sorry can't be more help

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card