Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Absence of 'sysopt connection permit-ipsec'

I want to run my dial-in VPN clients through the rulebase as does all the other traffic. I can do this by removing 'sysopt connection permit-ipsec', and letting them access resources via outside_access_in. However if I do this, do I also need to allow a rule to terminate the IPSec tunnel against the Outside Interface as well?

-Alex

1 REPLY

Re: Absence of 'sysopt connection permit-ipsec'

Alex,

Nope. ACL's on the PIX only effect (affect, I can never remember which one) transit traffic, that is traffic going through the PIX. Packets destined *to* the PIX are not processed by the ACL. Since the IPSec tunnel is terminated on the PIX, you do not need to add an ACL statement to allow this traffic in. If you do remove the sysopt connection permit-ipsec, you will need to create ACL's that allow the traffic into your network that you want from the VPN clients. The source addresses you will use for these ACL's are going to be from the range you assigned to the VPN pool. Good luck.

Scott

90
Views
0
Helpful
1
Replies
CreatePlease to create content