Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Ipsec Tunnel Tuning

I have two Pix 515E and i have correctly configured two ipsec tunnels .

Now i have two problems:

- how to enable an unidirectional traffic without using the "sysopt connection permit-ipsec" command?

- how to enable the unidirectional traffic from inside other then dmz?

Thanks of your attention.



Enrico VENA


Re: Ipsec Tunnel Tuning

The VPN access-list is or can be split in three parts.

1.) Outside interface access-list. This is generaly used to allow a specific VPN Peer to connect with ESP and ISKAMP.

PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp

PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP

PIX(config)# access-group acs-outside in interface outside

2.) The NONAT access-list as the name describe it allready this is access-list diables NAT from the Remote to the Local network.

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# nat (inside) 0 access-list NONAT

3.) The interessting part of the access-list that allows to permit what we want to pass in the tunnel you can for example just allow the telnet protocol from Remote host B to Local host A.

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN


The "sysopt connection permit-ipsec" command permits IPSEC traffic trough the PIX without an ACL comment statement.




Re: Ipsec Tunnel Tuning

with the command "sysopt connection permit-ipsec" disabled, an inbound acl will be required.

e.g. net1 <--> pix1 <--> www/vpn <--> pix2 <--> net2

on pix1, an inbound acl permitting net2 to net1 is required. in fact, you can further restrict the access down to protocol/port level:

access-list 100 permit tcp host host eq 3389

access-group 100 in interface outside

one point needs to be noticed when disabling the command "sysopt connection permit-ipsec" is that you will need to add all vpn traffic to the inbound acl, including all lan-lan vpn and remote vpn access.

regarding the second issue, "how to enable the unidirectional traffic from inside other then dmz?". you just need to add the inside subnet to no nat acl and the existing crypto acl.

New Member

Re: Ipsec Tunnel Tuning

Thanks for your indications: I have solved my problems successfully.


Re: Ipsec Tunnel Tuning

it's good to learn that your issue has been resolved.

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

CreatePlease to create content