PIX IPSec and ACL Questions

Answered Question
Apr 23rd, 2010

Hello,


On a PIX 515E v.6.3.5.


Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )


1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN

2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

3. ACL - ACL to permit | deny traffic after ACL #1 and #2.


Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?


The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?


Thanks,

Dan

Correct Answer by Jon Marshall about 6 years 10 months ago

pdvcisco wrote:


Hello,


On a PIX 515E v.6.3.5.


Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )


1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN

2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

3. ACL - ACL to permit | deny traffic after ACL #1 and #2.


Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?


The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?


Thanks,

Dan


Dan


It depends


1) Not always used because with a site-to-site VPN sometimes you have to NAT your internal addressing


2) always needed


3) if "sysopt connection permit-ipsec" is configured any acl on the interface where the VPN is terminated is bypassed. If it isn't enabled then once packets are decrypted they are then checked against the acl.


Mirroring of acls is required.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 04/23/2010 - 13:33

pdvcisco wrote:


Hello,


On a PIX 515E v.6.3.5.


Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )


1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN

2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

3. ACL - ACL to permit | deny traffic after ACL #1 and #2.


Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?


The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?


Thanks,

Dan


Dan


It depends


1) Not always used because with a site-to-site VPN sometimes you have to NAT your internal addressing


2) always needed


3) if "sysopt connection permit-ipsec" is configured any acl on the interface where the VPN is terminated is bypassed. If it isn't enabled then once packets are decrypted they are then checked against the acl.


Mirroring of acls is required.


Jon

pdvcisco Fri, 04/23/2010 - 13:37

Jon,


Thanks, that get me mostly there.  For the last question. Which ACL "must" be mirrored, it is inferred by your answer, only the second ACL must be mirrored, and only that one matters to the actual IPSec VPN - the VPN doesn't even know of the other ACL's, correct?


Dan

Jon Marshall Fri, 04/23/2010 - 13:39

Dan


Correct, only crypto acls need to mirror each other  because it this acl that is used to determine what the peers think are the remote and local subnets.


Jon

Actions

This Discussion

Related Content