sysopt command

Unanswered Question
Aug 24th, 2007

Hi ,

the command sysopt connection permit-ipsec ?

when I enable that command the vpn conenctions will be allowed inbound from the tunnel without checking the outside interface access list .

Suppose the vpn traffic is coming to dmz interface . DO I need to allow the traffic on the dmz interface ACl for the inbound traffic and outbound traffic or it works only with the crypto and nat 0 ACL


I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
miclulich Fri, 08/24/2007 - 02:36

The command, "sysopt connection permit-ipsec" only by-passes the ACL on the ingress interface (Usually Outside).

Please see the definition and usage guidelines here...

sysopt connection permit-ipsec

For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

Usage Guidelines

You might want to bypass interface access lists for decrypted traffic to simplify configuration and to maximize the security appliance performance. If you disable this feature, you must apply an access list to the ingress interface that permits decrypted IPSec packets from all IPSec peers (see the the access-list and access-group commands).

rajbhatt Fri, 08/24/2007 - 02:40


For ingress traffic the vpn terminates on the outside interafce .

But the servers to be accessed are located in the dmz interface.

so we have to give access list on the dmz if I use the sysopt command as well


anshubathla Fri, 10/26/2012 - 10:02


I have one question here

For example my firewall have two interface inside and outside.

.If sysopt is enable :it bypasses the acl on outside interface.

.Do we require access-list to allow the traffic on inside interface (coming from inside host tends for vpn) besides crypto acl?

Thank you

Javier Portuguez Fri, 10/26/2012 - 10:14


The "sysopt connection permit vpn" command does take effect on any interface where a crypto map is applied or SSL VPN is enabled.

This command is to bypass the ACL but not the NAT rule, so you still need a NAT from DMZ to Outside to allow the traffic flow from a lower to a higher security level interface, if NAT-CONTROL is enabled.

To allow the return traffic for instance, from DMZ to Outside, you need to make sure that any ACL applied to the DMZ interface allows the traffic in question.



Please rate any helpful posts

anshubathla Sat, 10/27/2012 - 00:10

Many thanks Jportugu,

So I can conclude that,

IF sysopt is enabled :

We always require acl on interface say from dmz to outside which must be subset of crypto acl.(whether traffic is return traffic or any host on dmz is initiating the traffic )

Javier Portuguez Sat, 10/27/2012 - 07:45

Yes, you are correct.

The access-list is not always required, since remember that we are coming from a higher security level to a lower.

For instance:

interface f0/0

     nameif dmz

     security-level 50

     ip add


interface f0/1

     nameif outside

     security-level 0

     ip add


access-list crypto_map_10 permit ip

route outside

Scenario 1:

If there is no ACL, then no need to add one to allow traffic from dmz to outside. However nat-control is enabled, so we need to add:

access-list nonat_dmz permit ip

nat (dmz) 0 access-list nonat_dmz

Scenario 2:

There is an access-list applied to the dmz interface as follows:

access-list dmz_in permit ip host

access-group dmz_in in interface dmz

So, since there is an implicit "deny ip any any" we must add:

access-list dmz_in permit ip 255.255.0

And if nat-control is enabled or any other NAT rule may affect this traffic then:

access-list nonat_dmz permit ip

nat (dmz) 0 access-list nonat_dmz


"sysopt connection permit vpn" bypasses outside ACL.

An ACL is not always required as long as you are coming from higher to lower (dmz to outside, for instance).

NAT exempt is required as long as nat-control is enabled or in case if there is any other NAT rule that may affect.

Hope to help.


Please rate any helpful posts

Javier Portuguez Sat, 10/27/2012 - 07:46


Please mark this question as answered if you do not have any further questions, do not forget to rate any helpful posts



This Discussion