cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3365
Views
0
Helpful
7
Replies

can i remove "sysopt connection permit-ipsec" command

donnie
Level 1
Level 1

Hi all. Right now my site to site vpn between 2 cisco pix firewall are working fine. But i would like to restrict the vpn traffic on both sides. After i have created the accesslist to limit the vpn traffic, should i set "no sysopt connection permit ipsec" for the restriction to take effect? Thks in advance.

7 Replies 7

lgijssel
Level 9
Level 9

sysopt connection permit ipsec was used in older PIX software to allow IPsec.

Adjusting the ACL's will suffice. Keep in mind that these ACL's must match on both ends of the link.

regards,

Leo

Leo

I differ slightly in what this command does. I don't think it is used just on older version of the pix software to allow IPSEC. It and the updated "sysopt connection permit-vpn" are used to bypass any ACL checking on the interface where the IPSEC tunnel terminates. This is still a perfectly valid thing to want to do on pix and ASA devices.

By disabling it yes it will mean any IPSEC traffic once decrypted will be checked against any ACL applied on the interface that the tunnel terminates on. The ACL's do not need to match on both ends, that is the crypto map access-list.

Jon

haha....and those don't really match, they are mirrored. :) (I know you know this)

Hi Adam

Mirrored is a better description than matched :)

Yes i did know this but i was talking about the ACL's applied to the interface not the crypto access-list. I believe the OP was talking about turning off sysopt connection permit-ipsec and then controlling traffic via the ACL applied to the outside interface. I just thought it was worth pointing out that the ACL's on the interfaces did not have to match at both ends.

Jon

Adam

Just reread this and realised i prattled on about which ACL i was talking about thinking you had misunderstood which you hadn't.

Sometimes posts + my slowness just doesn't work :)

Jon

Thanks Jon, I must admit that I haven't checked the exact function. In practice, I never cane across this because thus far, I have always terminated the VPN's on the PIX/ASA itself. You do not need it in this case.

I also remenber having read about some sysopt commands becoming obsolete, that was what I had in mind when I wrote the response.

About the ACL's not matching: I meant the crypto acl's. I have noticed inpredictable results with IOS-based VPN tunnels when the ACL's on both devices did not allow the same traffic. In that case, one side would drop IPsec packets after decryption due to not passing the crypto-acl. It is good practice to configure them symmetrically.

regards,

Leo

Leo

Okay that makes sense. Yes i agree that the crypto access-lists really should match or at least be mirrored otherwise things generally don't work.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: