PIX (v6.3) Remote Access IPSec VPN - limit access once established

Unanswered Question
Mar 28th, 2007


I have a Cisco PIX 525 (v6.3(4)) that I would like to enable remote access via a IPSec VPN. That part of the config I have found on the cisco website and believe I have a solution.

The PIX is configured with 3 interfaces (inside, outside & DMZ). When a user makes a VPN connection I would like to restrict the user access to a DMZ server only. I do not want to allow access to the internal network.

I haven't found any documentation to do this?

Can it be done?

Many thanks,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
David White Thu, 03/29/2007 - 08:04

Hi Carl,

Yes, this is possible. You need to disable "sysopt connection permit-ipsec". With this command disabled, you need to write your interface ACL to allow the decrypted traffic wherever you want it.

For you, this will be traffic sourced from the VPN pool destined to your DMZ server, and then deny all other traffic from your VPN pool IPs to anywhere. This ACL needs to be applied to the interface that is terminating your IPSec tunnel (I assume the outside).

Hope it helps,


carl.forbes Thu, 03/29/2007 - 11:36

Thanks for this David.

As ACLs are applied inbound, how will this work? My thinking is that once the VPN tunnel is terminated on the PIX, which inbound interface will the ACL be applied to?

I intended in assigning a VPN pool from the dmz subnet.

Many thanks.

acomiskey Thu, 03/29/2007 - 12:08

You can write the acl inbound to outside interface or outbound of inside or dmz interface. Do not make the vpn pool the same as your dmz subnet, it should be completely different.

David White Thu, 03/29/2007 - 12:09

Without the sysopt, after the packet is decrypted, it passes back through the same interface ACL (the interface on which the tunnel was terminated - typically this is the outside interface).

I would assign a VPN pool that is unique, and not apart of any interface network.



carl.forbes Thu, 03/29/2007 - 12:20

Ah ok.

Got it thanks guys, very much appreciated.

So ACL on outside interface and seperate VPN pool.

Easy ;o)

acomiskey Thu, 03/29/2007 - 12:25

Don't forget, once you remove sysopt conn permit-ipsec, that will apply to all your ipsec traffic. You will also have to specifically permit udp 500, esp etc. on your outside interface for the connections as well.

carl.forbes Mon, 04/02/2007 - 07:31

Thanks for your help guys.

I have spent the past few days searching for port/protocols I need to open to allow the tunnel to establish when using no sysopt conn permit-ipsec with no success.

So far I have the following:

UDP 500 for ISAKMP

But am unsure what to use for ESP:

ah-esp-encap 2070/tcp AH and ESP Encapsulated in UDP packet

esp-encap 2797/tcp esp-encap

any other type of traffic specific to the tunnel I also need to include?

Many thanks once again.


acomiskey Mon, 04/02/2007 - 08:04

ESP is the protocol, not the port. For example...

access-list 101 permit udp any interface outside eq isakmp

access-list 101 permit esp any interface outside

also if you have remote vpn clients requiring nat-traversal, you would want to add udp 4500.

David White Mon, 04/02/2007 - 08:54

For traffic that is terminated on the PIX (as is the case of IPSec), interface ACLs do not apply. Therefore, there is no reason to permit isakmp (UDP/500) or ESP (protocol 50) in the interface ACL.

Again, interface ACLs only apply to transient traffic, not traffic that is terminated on the firewall.



carl.forbes Mon, 04/02/2007 - 09:28

Hi David,

I'm a little confused at the moment, but hopefully this will be the last post.

My setup: (Internet users, outside) (DMZ network, dmz) (Internal network, inside) (VPN pool)

Traffic flows - A user establishes an IPSec tunnel to my PIX to allow telnet to a server in the DMZ.

When using no sysopt connection permit-ipsec, my outside acl should include the following entries?:

access-list outside_in permit tcp host eq telnet

access-group outside_in in interface outside

(The source IP given here is the VPN pool, not the internet address. Correct?)

I do not require anything additional for esp, isakmp etc?

Many thanks.


This Discussion