Site-to-Site VPN with no sysopt connection permit-vpn

Unanswered Question
Jul 7th, 2008
User Badges:


I created site-to-site vpn between asa and pix with no sysopt connecion permit-vpn.

I used interface access-list to control what remote site(PIX) can access to main site(ASA).

IPSec connection is up and everything is working fine.

I have question related to access-rule for ISAKMP and IPSec.

1. Do I need to create access rule to permit protocol ISAKMP, ESP, AH at outside interface?

My understanding is that when the traffic come to interface, access rule will be applied and permit or drop pkts based on the rules.

It seems IPSec Tunnel can be established without even applying those access rules at interface.

Thank in advance for your time!

Best Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Mon, 07/07/2008 - 21:53
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

u have to have an ACL that allow the isakmp and esp from ur remote site to ur local site and vice versa to establish the tunnel on the terminating device, reasonably if u block it how the tunnel gonna be estblished !

kyawzawhtut Mon, 07/07/2008 - 22:00
User Badges:


Connection is like this.

Main Site > ASA > Outside < PIX

From inside interface of both main/remote site allow everything.

ACL is applied to outside interface of both. But this ACL doesn't permit ISAKMP, ESP, AH. Tunnel is still established. That's why puzzle me.

IPSec conneciton doesn't go through the firewalls and it ends @ outside interface of both FW.

Repeat my question again, if ACL doesn't allow why tunnel still can be established and IPSec pkets can go through? If I blocked other traffic, I can see that network cannot be reachable but seems like I don't need to put ACL for ISAKMP, AH, ESP..

Any idea?

a.alekseev Mon, 07/07/2008 - 22:55
User Badges:
  • Gold, 750 points or more

ACL is applied to outside interface of both. But this ACL doesn't permit ISAKMP, ESP, AH. Tunnel is still established.

that is ok.

the access-list which is attached to ouside interface, is applyed only for traffic going through the PIX and ip not for traffic terminating on the PIX itself.

if you have "no sysopt connection permit-vpn" you need additional lines in ACL to permit traffic inside the IPSec tunnel.

kyawzawhtut Mon, 07/07/2008 - 22:59
User Badges:


Thanks for your reply. So just to be precise, ACL is only applied to traffic going through the interface and not traffic terminating at the interface.

I already permit traffic for inside network to be able to access to remote inside network.

Thanks for clarification. Any reference that I can look at for your statement coz I need to prove? :)



This Discussion