Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-List ipsec isakmpe filtering not working on 7.0?

Hi all,

we recently upgraded from PIX 6.4 to PIX 7.0(5). We noticed the following rather strange behaviour:

- ISAKMP, ESP, AH Messages during negotiation to not pass through the external access-list!!!! Now, I know this is possible through the "sysopt connection permit-ipsec" command, but we specifically have a "no sysopt connection permit-ipsec" configured!!!

the outside access-list is:

access-list outside-in line 1 remark Permit IPSEC VPN Traffic

access-list outside-in line 2 extended permit udp object-group vpn_peers host outside_inf eq isakmp

access-list outside-in line 3 extended permit esp object-group vpnp_eers host outside_inf

access-list outside-in line 4 deny udp any any eq isakmp

access-list outside-in line 4 deny esp any any

acess-list outside-in .....................

Any ideas, what changed in the new Version?

3 REPLIES
Gold

Re: Access-List ipsec isakmpe filtering not working on 7.0?

Do you use AH in transform set?? In ACL is missing AH permit

try:

access-list outside-in extended permit esp object-group vpn_peers host outside_inf

There is also typo in ACL on esp line there is object group vpnp_eers and not vpn_peers

M.

New Member

Re: Access-List ipsec isakmpe filtering not working on 7.0?

No. We do not use AH since it is no longer supported by most of the IPSEC Gateway Vendors.

Re: Access-List ipsec isakmpe filtering not working on 7.0?

I have the same question. Any ideas ?

Thank you

108
Views
0
Helpful
3
Replies
CreatePlease to create content