Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Control encrypted packet for dynamic crypto map

I have 1 PIX configured with dynamic crypto map. The remote routers will dial to ISP and establish IPSec tunnels to PIX. How do I control the encrypted packet initiated from remote routers ? Can PIX control/filter the encrypted packet after decryption ?

Cisco Employee

Re: Control encrypted packet for dynamic crypto map

Do you mean you want to filter the packets from these remote sites after they've been decrypted by the PIX?

If so, you can't really do it easily. Usually in the PIX config you'll have a "sysopt connection permit-ipsec" command which allows IPSec packets into the PIX bypassing all the ACL's. If you don't have this, you have to create an ACL on your crypto interface that says "allow IPSec and ISAKMP packets into this interface". You really can't filter the decrypted packet at this point cause the PIX doesn't see it.

About the only way to do it is to filter the packet as it is replied to by the internal host and comes into the inside interface of the PIX. This still allows the packet to reach the internal host, but stops the reply from getting back to the end user.

Alternatively, on the remote routers simply modify your crypto ACL to only include access to the specific hosts you want, rather than to the whole PIX inside subnet.

New Member

Re: Control encrypted packet for dynamic crypto map

PIX cannot filter packets replied by internal host because these packets match the crypto ACL and will bypass the interface ACL.

What is the order of following processes performed by PIX in outbound and inbound direction: IPSec, interface ACL. I can find this information for router at

My situation is: I have PIX with fixed public IP. The remote routers obtain dynamic IP from ISP and the router configuration is not UNDER MY CONTROL. The IPSec tunnels are initiated by remote routers. What is the best for me to control the IPSec traffic ?

For PIX dynamic crypto map, the PIX will create crypto ACL which is mirror to remote router's crypto ACL.