Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
0
Helpful
2
Replies

Sysopt command for ipsec

ty.masse
Level 1
Level 1

‎06-11-2003 10:21 AM - edited ‎02-21-2020 12:36 PM

When I use the sysopt connection permit-ipsec command on the pix. Does it open all relevant ports for vpn? Such as esp ah udp 500 etc... Does that mean if I have a vpn concentrator, I don't need to create statics and Acl in the pix for that concentrator?

Thanks.

Labels:
0 Helpful
2 Replies 2

mhoda
Level 5
Level 5

‎06-11-2003 10:32 AM

Hi,

This will open up the necessary ports for VPN tunnel terminating on the PIX, not accross the PIX to a different VPN device in inside. For that, you still need to open up all the ports using static/ACL etc.

Thanks,

Mynul

0 Helpful

msitzman
Cisco Employee
Cisco Employee

‎06-11-2003 01:17 PM

Hi there,

To be a little more specific with the operation of the sysopt connection permit-ipsec command...

It does not specifically "open" ports for the VPN traffic. The PIX will listen for VPN connections without this command. The PIX changes how it treats the VPN traffic with the sysopt enabled. With the sysopt connection permit-ipsec command the VPN traffic will be able to by pass the ASA operation of the PIX once the traffic is decrypted. This means that you are not required to have static statements and conduits (or access-lists) to allow the VPN traffic to pass through the PIX. It is really as if the PVN traffic is dropped on the inside interface of the PIX once the clients are connected.

Hope this helps...

Marcus

0 Helpful
Customers Also Viewed These Support Documents