How to open inbound ESP protocol on a PIX 515

In article , Corbin O'Reilly wrote: :What command line do I need to add to my PIX to open :Protocol ESP inbound? Thanks for the help.

show access-group

and look for the one marked as being against the 'outside' interface. The name there is the name of an access-list . show access-list that name:

pix> en Password: ****** pix# show access-group access-group CSM-acl-Goutside in interface outside access-group CSM-acl-Ginside in interface inside pix# show access-list CSM-acl-Ginside access-list CSM-acl-Ginside line 1 permit ip host mrtserver ibdCX0 255.255.255.0 (hitcnt=0) access-list CSM-acl-Ginside line 2 deny ip host 123.45.67.2 any (hitcnt=0) access-list CSM-acl-Ginside line 3 permit tcp host netadmin host kazoo eq domain (hitcnt=0)

Look through the list and find the first 'deny' statement that would block ip access to the target host. [If there isn't any such statement, then the current deny is being handled by the implicit deny of everything at the end of the list.] You will have to add a 'permit' statement somewhere above that point.

If line numbers show up in the access-list display, as shown above, then you can insert -before- a given line by configuring a new statement for that line. For example,

pix# config t pix(config)# access-list CSM-acl-Ginside line 2 permit esp host 88.77.66.55 host

this would result in the following ACL:

pix# show access-list CSM-acl-Ginside access-list CSM-acl-Ginside line 1 permit ip host mrtserver ibdCX0 255.255.255.0 (hitcnt=0) access-list CSM-acl-Ginside line 2 permit esp host 88.77.66.55 host 123.45.67.2 (hitcnt=0) access-list CSM-acl-Ginside line 3 deny ip host 123.45.67.2 any (hitcnt=0) access-list CSM-acl-Ginside line 4 permit tcp host netadmin host kazoo eq domain (hitcnt=0)

You would then test to see if it worked, and if it did you would

pix# write memory

to save the result as the new configuration.

If the line numbers do not show up for you when you show the access-list then you are running an older PIX version that does not allow inline editting, and unless you go in via the graphical PDM, in order to insert something into the middle, you would effectively have to remove the existing ACL and put the revised version in its place. If you do that, then afterwards be sure to

pix(config)# access-group CSM-acl-Ginside in outside

(or as appropriate for whatever ACL you are using). This is essential !! When you remove an ACL, any access-group or crypto map or nat statements that refer to it are automatically removed as well, so you have to put the statements back again.

Hey Walter. Just for testing purposes if I added the command line "conduit permit esp any any" to my PIX config would that enable the ESP Protocol?

In article , Corbin O'Reilly wrote: :Just for testing purposes if I added the command line "conduit :permit esp any any" to my PIX config would that enable the ESP Protocol?

I don't know. Cisco stopped supporting conduit several releases ago. access-list/access-group was introduced early in PIX 5.1, and Cisco started actively saying you should get rid of them early in PIX 5.3. By PIX 6.2 they were saying that if you have a bug related to conduits, the bug would likely not be fixed.

Mixing conduits with VPNs is a particularily bad idea.

I got it to work. Enabling FIXUP ESP-IKE in PDM did the trick.

In article , Corbin O'Reilly wrote: :I got it to work. Enabling FIXUP ESP-IKE in PDM did the trick.

That only works for a single internal host, and only works if the ESP packets are addressed to the outside IP (i.e., the internal machine is PAT'd instead of static NAT.)

This solution should be good enough for what we are trying to do. Thanks again for the help.