no sysopt connection permit-pptp but no ACL hits??

Unanswered Question
Aug 16th, 2007


We have Pix 506E (running 6.3(5)) with Cisco VPN client working fine.

However, I have a question. It is not causing any issue but I need to understand.

We diabled "sysopt connection permit-ipsec" and apply the access-l abc on the inside interface which users establish the VPN connections through.

Somehow this access-l abc has no hits.

Can someone explain why?

access-list abc line 1 permit esp any host (hitcnt=0)

access-list abc line 2 permit udp any host eq isakmp (hitcnt=0)

access-list abc line 3 permit udp any host eq 4500 (hitcnt=0)

pix# sh sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

no sysopt connection permit-ipsec

no sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 08/17/2007 - 00:35


Because unlike a router with a pix you do not need to specify the IPSEC ports in your acl.

Entering "no sysopt connection permit-ipsec" as you say means that the VPN is subjected to the access-list list on that interface rather than bypasssing it. But that access-list is for traffic once it has been decrypted.

Indeed we had a thread a while back where we tried to stop the pix accepting IPSEC ports on it's outside interface by using deny statements equivalent to your permit statements above and it still accepted VPN connections. Of course without the right key etc. a vpn wasn't formed but the pix still accepted the IPSEC ports.




This Discussion