Cisco Support Community
Community Member

pix 6.3(1) and vpn client with no sysopt

1- Pix 6.3(1) with 2 vpn site-to-site and client vpn on the outside internface.

2- "no sysopt connection permit-ipsec" to better control traffic coming from 2 site-to-site tunnel with access-list on outside interface.

3- vpn client with authentication on tacacs+ with dinamic access-list local defined on Pix.

When a vpn client connects to pix, I can see a dynamic acl "dynaclxx" to permit response from inside network but no dynamic acl on outside interface. Dynamic acl associated by the tacacs+, is active and running and

with "show uauth" command I can see the dynamic acl applied to the user, but I need to insert a static acl line in outside acl to permit traffic coming from vpn client (with sysopt enabled no problem).

The problem is spoofing caused by the static line inserted in the outside acl !

Thank you in advance


Re: pix 6.3(1) and vpn client with no sysopt


this is the expected behaviour, and you will need to open up that traffic using static entry in the outside (inbound) acl.

Using sysopt avoids such threats, if you want to restrict traffic, you can use inbound ACL on the inside interface(s), or use proper split tunnel list to let clients only encrypt what they are supposed to encrypt.

Best Regards,


Community Member

Re: pix 6.3(1) and vpn client with no sysopt

Afaq, but inbound acl on the inside interfaces only works on traffic generated by the inside ip, no by the outise vpn client.

Sysopt are not usable because I verified it avoids such threats but it does not permit control on ip traffic coming from site-to-site vpn with inbound acl on the outside interface.

Thank you in advance


Community Member

Re: pix 6.3(1) and vpn client with no sysopt

Afaq, with "no sysopt connection permit-ipsec", do you think I can resolve the threats with radius in the place of tacacs+ ? or with dynamic acl defined on the acs in the place of dynamic acl defined on the pix ?

Actually, no dynamic acl (defined on the pix and recalled by the acs) are added to the outside static access-list during the vpn client session.

With "sysopt connection permit-ipsec" I have no problem but I can see a reduced control on site-to-site vpn.



CreatePlease to create content