Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filtering de-crypted VPN traffic terminating on the PIX

After searching Cisco's website, reading posts on this board and other boards, and reading a limited number of good books on the Cisco PIX firewall, I still have a question that I cannot definitively answer for myself.

Scenario: PIX 525 site-to-site VPN with Checkpoint NG 650 firewall as the remote VPN peer.

Goal: Limit inbound, de-crypted traffic from the network behind the remote VPN peer to access only specific hosts and ports on the network behind the PIX 525 firewall.

Question: What is the best way (or options) to accomplish the above goal?

1. Is it better to use the "sysopt connection permit-ipsec" command to allow IPSec VPN traffic to "by-pass" inbound ACLs on the outside interface as well as the ACLs that "define" which traffic is to be tunneled between the PIX firewall and Checkpoint NG 650 firewall?


2. Is it better to configure the PIX without the sysopt connection permit-ipsec command and instead utilize an inbound ACL to filter both IPSec VPN traffic (based on source, destination and ports) and the decrypted traffic (based on source, destination and ports) ? Is my understanding correct, with this option, that once VPN traffic is processed and authenticated that the decrypted traffic must meet the filter conditions defined in the inbound access-list applied to the outside interface on the PIX firewall?

I'm aware that Cisco recommends using the "sysopt connection permit-ipsec" command because not doing so can lead to high processor utilization.

For the project at hand, the importance of limiting the decrypted traffic to only certain hosts and ports outweighs porcessor utilization.

Thanks in advance for any and all posts regarding this matter!


Re: Filtering de-crypted VPN traffic terminating on the PIX


Ans1: your understanding is right.

Ans2:your understanding abt the ACL processing seems right.

I'd like to add some more to it:

1 - configure port based ipsec cyrpto ACLs b/w the two devices, to make sure that you encrypt/decrypt only what you want, but in case of CheckPoint, it may have some problems.

2- you can filter traffic inbound/outbound on the inside pix interface as well to limit it to certain ports/IPs.

my 2 cents.

Thanks - Afaq

New Member

Re: Filtering de-crypted VPN traffic terminating on the PIX

Thanks Afaq.