Cisco Support Community
Community Member

Pix 515E Ipsec Peer ACL

I have a Pix 515E at my main site and some remote routers [Pix and Netopia]

that are coming in as Ipsec peer to peer connections.

Currently my remotes have static Ip's, and I have sysopt connection permit-ipsec enabled. Is there any way to remove the [sysopt connection permit-ipsec]

and setup the remote Ip's only for permit ipsec?

Currently if I do an NMAP scan of my Pix 515E from a remote network it shows udp port 500 open. I like to keep ports locked down for only remote Ip's I allow.

I've talked to a few people about this, including a couple of Cisco Pix support personal but never got a full explanation on how to make it work.



Community Member

Re: Pix 515E Ipsec Peer ACL

I believe you can. I can't remember the exact syntax, but I know you will need (depending on your transform-set) individual acl statements for each protocol.


a acl for the AH portion

a acl for the ESP portion

a acl for the ISAKMP portion

I know I have seen this syntax before, and I will look for it. But I am sure if you actually try to configure it on your fw you will be able to figure it out.

Hope this helps, and I will look for the exact syntax.

CreatePlease to create content