Solved: Re: IPSec VPN using FWSM possible?

yvasanthk · ‎12-28-2005

Hi,

Is it possible to configure a 6500 FWSM module to allow a windows based IPSEC VPN to terminate to it and allow access to the protected inside network.

The documentation for the FWSM talks about configuring the FWSM for remote access and management using a VPN; but it does not mention anything about having the vpn into the protected network.

Please point me to any links on CCO.

Thanks,

Vasanth

johansens · ‎12-30-2005

Well, it's really simple...

Add the devices you'll need to accomplish the IPSec VPN. You are right, none of the components you have will let you do IPSec VPN (at least not without some help to accomplish throughput)...

Either add a VPNSM (or the more fancy SPA-IPSEC solutions..) in each 6500 or insert a properly sized VPN-device at each side...

Did it help?

View solution in original post

johansens · ‎12-29-2005

No, you can't:

From: http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml#q25

Q. Can I terminate VPN connections on my FWSM?

A. VPN functionality is not supported on the FWSM. Termination of VPN connections is the responsibility of the switch and/or VPN Services Module. The 3DES license is provided for management purposes only, such as connecting to a low-security interface via Telnet, Secure Shell (SSH), and Secure HTTP (HTTPS).

Did it help?

yvasanthk · ‎12-29-2005

Thanks for the reply. The link you gave clears says it is not supported.

But, the documentation at the below link talks about creating a site-to-site tunnel..what does that mean?

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/access.htm#wp1144881

-- Vasanth

johansens · ‎12-29-2005

Hi again Vasanth,

They are talking about establishing a VPN-tunnel to another device f.ex. a PIX or VPN-concentrator to enable remote management through this other device..

As this link says at the second paragraph:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/access.htm#wp1143031

"The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself."

Make sure you understand the last sentence in this paragraph...

Did it help?

yvasanthk · ‎12-29-2005

Thanks. Convinced that I will have to use another device on either end of the tunnel to have an IPSec VPN.

But, my problem is still not solved :(

LAN --- Private network inside context --- fwsm outside context ---- 3550 --- WAN Link --- 3550 ---- 6500 ----LAN

I need to provide an IPSec VPN between these two LANs.

I don't think any of the devices involved in this topology here support IPSec VPN.

What do I do?

-- Vasanth

johansens · ‎12-30-2005

Well, it's really simple...

Add the devices you'll need to accomplish the IPSec VPN. You are right, none of the components you have will let you do IPSec VPN (at least not without some help to accomplish throughput)...

Either add a VPNSM (or the more fancy SPA-IPSEC solutions..) in each 6500 or insert a properly sized VPN-device at each side...

Did it help?

Nage Kaushik · ‎02-07-2020

Good post, we had FWSM's in our old network. Since FWSM gives you statefull firewall features, to have VPN functionality it would be recommended to have a separate firewall (if you have the additional funds).