can i remove "sysopt connection permit-ipsec" command

Unanswered Question
Sep 11th, 2007

Hi all. Right now my site to site vpn between 2 cisco pix firewall are working fine. But i would like to restrict the vpn traffic on both sides. After i have created the accesslist to limit the vpn traffic, should i set "no sysopt connection permit ipsec" for the restriction to take effect? Thks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Tue, 09/11/2007 - 02:04

sysopt connection permit ipsec was used in older PIX software to allow IPsec.

Adjusting the ACL's will suffice. Keep in mind that these ACL's must match on both ends of the link.



Jon Marshall Wed, 09/12/2007 - 08:59


I differ slightly in what this command does. I don't think it is used just on older version of the pix software to allow IPSEC. It and the updated "sysopt connection permit-vpn" are used to bypass any ACL checking on the interface where the IPSEC tunnel terminates. This is still a perfectly valid thing to want to do on pix and ASA devices.

By disabling it yes it will mean any IPSEC traffic once decrypted will be checked against any ACL applied on the interface that the tunnel terminates on. The ACL's do not need to match on both ends, that is the crypto map access-list.


acomiskey Wed, 09/12/2007 - 10:22

haha....and those don't really match, they are mirrored. :) (I know you know this)

Jon Marshall Wed, 09/12/2007 - 23:26

Hi Adam

Mirrored is a better description than matched :)

Yes i did know this but i was talking about the ACL's applied to the interface not the crypto access-list. I believe the OP was talking about turning off sysopt connection permit-ipsec and then controlling traffic via the ACL applied to the outside interface. I just thought it was worth pointing out that the ACL's on the interfaces did not have to match at both ends.


Jon Marshall Thu, 09/13/2007 - 00:59


Just reread this and realised i prattled on about which ACL i was talking about thinking you had misunderstood which you hadn't.

Sometimes posts + my slowness just doesn't work :)


lgijssel Wed, 09/12/2007 - 10:45

Thanks Jon, I must admit that I haven't checked the exact function. In practice, I never cane across this because thus far, I have always terminated the VPN's on the PIX/ASA itself. You do not need it in this case.

I also remenber having read about some sysopt commands becoming obsolete, that was what I had in mind when I wrote the response.

About the ACL's not matching: I meant the crypto acl's. I have noticed inpredictable results with IOS-based VPN tunnels when the ACL's on both devices did not allow the same traffic. In that case, one side would drop IPsec packets after decryption due to not passing the crypto-acl. It is good practice to configure them symmetrically.



Jon Marshall Wed, 09/12/2007 - 23:23


Okay that makes sense. Yes i agree that the crypto access-lists really should match or at least be mirrored otherwise things generally don't work.



This Discussion