Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze

sysopt connection permit-ipsec and ACL


What does the "sysopt connection permit-ipsec" command exactly do:

- permits ESP and UDP/500 to terminate on PIX?

- permits ESP and UDP/500 to pass thru PIX without ACL checking?

- permits all that is encapsulated within the IPSec packet to pass thru PIX

without ACL checking?

If this command is *not* used, what does PIX ACL (on outside intf) exactly do:

- check outer IP header only and protocol=ESP?

- check inner IP header only, protocol and ports (TCP/UDP)?

- check *both* outer IP header, protocol=ESP and inner IP header, protocol

(TCP/UDP) and TCP/UDP ports? IOS routers do this way.

Oleg Tipisov,



New Member

Re: sysopt connection permit-ipsec and ACL

The "sysopt connection permit-ipsec" enables the use of IPSEC on the PIX to be used for encryption by the PIX, for use in VPN, etc. The ACL is used to allow traffice through the PIX. If you want the VPN to terminate and be accepted by the PIX you use the "sysopt connection permit-ipsec" command. If you want the VPN to pass through the PIX to an internal server you would use an ACL. I hope that makes sense.

ovt Bronze

Re: sysopt connection permit-ipsec and ACL

What I really want to know is: If the "sysopt connection permit-ipsec" is used

can I deny access to the inside network for VPN users and allow them

to only access dmz network? (Note that PIX doesn't support "out" ACLs,

only "in".) If *yes*, if an "in" ACL on the outside interface can help, what

the "sysopt" command was designed for??? If *no* ... VPN code must be

rewritten completely in PIX OS.

Oleg Tipisov,



New Member

Re: sysopt connection permit-ipsec and ACL

You can control the access of the VPN. Create an access-list using your DMZ IP Addresses and the IP Addresses you VPN Clients will be using. Then add the following command.

nat (inside) 0 access-list 101

This tells the PIX not to NAT that traffic. All internal network traffic will not meet the criteria, and will be NATed and no eligible for the Tunnel. The ACL you create will not be assigned to an interface, it is just used for the NAT ID 0, which is called "NO NAT"

There are a few good documents on setting this up. If you let me know exactly what you are planning I can point you to the right one. Is this a PIX-to-PIX VPN, or a PIX to VPN Client, or PIX to another device?

CreatePlease to create content