Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

no sysopt connection permit-pptp but no ACL hits??


We have Pix 506E (running 6.3(5)) with Cisco VPN client working fine.

However, I have a question. It is not causing any issue but I need to understand.

We diabled "sysopt connection permit-ipsec" and apply the access-l abc on the inside interface which users establish the VPN connections through.

Somehow this access-l abc has no hits.

Can someone explain why?

access-list abc line 1 permit esp any host (hitcnt=0)

access-list abc line 2 permit udp any host eq isakmp (hitcnt=0)

access-list abc line 3 permit udp any host eq 4500 (hitcnt=0)

pix# sh sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

no sysopt connection permit-ipsec

no sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible

Hall of Fame Super Blue

Re: no sysopt connection permit-pptp but no ACL hits??


Because unlike a router with a pix you do not need to specify the IPSEC ports in your acl.

Entering "no sysopt connection permit-ipsec" as you say means that the VPN is subjected to the access-list list on that interface rather than bypasssing it. But that access-list is for traffic once it has been decrypted.

Indeed we had a thread a while back where we tried to stop the pix accepting IPSEC ports on it's outside interface by using deny statements equivalent to your permit statements above and it still accepted VPN connections. Of course without the right key etc. a vpn wasn't formed but the pix still accepted the IPSEC ports.



CreatePlease to create content