Cisco Support Community
Community Member

sysopt connection permit-ipsec


In addition this command i have an access-list applied to the outbound interface inbound which permits icmp, ssh. When i VPN to the Pix, the tunnel is established, but, i can not sent traffic across the network behind the Pix. I see the packets encrypted at my workstation, but, no decriptions.

Would i have to open up gre on the access-list applied inbound on the outside interface, but, thought sysopt connection permit-ipsec took care of that.

also when i get an ip address from the PIX after VPNing, it does not have a default gateway in it, I find that very strange, any thoughts?

Cisco Employee

Re: sysopt connection permit-ipsec

Are you VPN'ing using IPSec or PPTP? You mention opening up GRE which implies you're using PPTP, in which case you don't need to open up GRE, but you do need the command:

sysopt connection permit-pptp

If you can't connect to anything internally, and you're not seeing any decrypts get back to you, check your "nat 0" access-list statement, make sure you have something like the following:

nat (inside) 0 access-list 100

access-list 100 permit ip

Also, you won't see a default gateway, similarly to how you don't see one when you dial up to an ISP. The VPN software takes care of it and knows what traffic needs to be encrypted and what doesn't.

Re: sysopt connection permit-ipsec

Glenn probably hit the nail on the head but I thought I would go ahead and add one other (probably obvious) thought. Make sure the network behind the PIX that you cannot get to has a route for the pool of addresses that you hand to the VPN clients pointing back to the inside interface on the PIX. If you default routes pointing to the inside interface of the PIX from your entire network, then you are good to go. Just a thought....


CreatePlease to create content