Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix-VPN traffic specification ? ? ?


I ve a problem:

I want to make a VPN remote access from VPN3000 soft. Client and a PIX.

I've configured properly the pix and all works well.

Now, if I want to deny that the clients can contact some services on some host on the inside PIX network, how i can make?

I've experimented the same problem with a Lan to Lan, where my PIX connects an other PIX where I've no access...

The problems that I've seen are:

- the nonat access-list, for the nat 0 command, must be IP (I can't specify TCP ports)

- the crypro map match address wants again an IP access-list, I've tryed with a TCP access-list but doesn't work

(really, only in the case of remote access, I've seen that the "dynamic" crytpo map match address doesn't work neither with an IP access list, but is not a problem, I've worked with the nonat acl ).

- if I put an ACL on the inside interface, the traffic coming back from the session originated from the outside vpn client don't match them, clear the acl are statefull...

How can I solve this trouble ? ? ?

thank's in advance for the adivices.

best rgds,


New Member

Re: Pix-VPN traffic specification ? ? ?

One option may be to not explicitly permit IPSec with the "no sysopt permit-ipsec command.

Then you can built access-lists or conduits to allow the IPsec traffic in - that way you can specify TCP.

I hope thats clear

New Member

Re: Pix-VPN traffic specification ? ? ?


thanks but I don't think that it should works:

at the outside interface of the PiX arrive IPsec ( TCP or UDP aren't visible) packets and after the packets are decapsulated... than I think that is not possible work at the outside interface level.



New Member

Re: Pix-VPN traffic specification ? ? ?

It works. I do it on our firewall.

New Member

Re: Pix-VPN traffic specification ? ? ?


thanks very well, but I don't understand...

I'm very pleasing to you if you can specify what you've had.

I list you this simple configuration, what I can do to specify the traffic permitted in the vpn (for example: If want that the outsider, net. can see only the 80 tcp port of the specified internal host):

ip address outside

ip address inside

route outside 192.168.zxc.vbv

access-list nonat permit ip host

access-list 100 permit ip host

nat (inside) 0 access-list nonat

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 100

set peer

set transform-set chevelle

crypto map transam interface outside

isakmp enable outside

isakmp key ********** address netmask

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

sysopt connection permit-ipsec



New Member

Re: Pix-VPN traffic specification ? ? ?

The following command disables ASA (conduit or Access-list) bypass for IPSec sessions. Therefore, you must then create an inbound rule for the vpn traffic to get in.

no sysopt connection permit-ipsec

If you are using conduits it would look like this.

conduit permit tcp host eq 80

Good Luck.

New Member

Re: Pix-VPN traffic specification ? ? ?

I encountered the same problem when I was setting up PIX to PIX vpn. Instead of the access-list I used conduits to narrow down access to the appropriate tcp ports.


CreatePlease to create content