Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze
Bronze

sysopt connection permit-ipsec and ACL

Hi!

What does this command exactly do:

- permits ESP and UDP/500 to terminate on PIX?

- permits ESP and UDP/500 to pass thru PIX without ACL checking?

- permits all that is encapsulated within the IPSec packet to pass thru PIX

without ACL checking?

If this command is *not* used, what does PIX ACL (on outside intf) exactly do:

- check outer IP header only and protocol=ESP?

- check inner IP header only, protocol and ports (TCP/UDP)?

- check *both* outer IP header, protocol=ESP and inner IP header, protocol

(TCP/UDP) and TCP/UDP ports? IOS routers do this way.

Oleg Tipisov,

REDCENTER,

Moscow

  • Other Security Subjects
1 REPLY
New Member

Re: sysopt connection permit-ipsec and ACL

Oleg,

SYSOPT CONNECTION PERMI-IPSEC is needed to terminate a VPN on the PIX firewall. It is needed because it bypasses any ACL configured on the PIX.

The command will not listen to ISAKMP (UDP 500): this will be done by ISAKMP ENABLE OUTSIDE.

The command will not listen on ESP : this is done by CRYPTO MAP X INTERFACE OUTSIDE.

Kurt

88
Views
0
Helpful
1
Replies
This widget could not be displayed.