Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

sysopt on my pix

I have the vpn set up between a pix and netscreen and everything works.

I have no control over the netscreen or its network. It has one host and clients on the inside of the pix have to telnet to the host.

I want to make sure that I protect my network from that machine. I know there has to be an access-list on the outside interface of my box...buty for that I have to remove:

sysopt connection permit-ipsec

But I dont want to remove the above command as I will run into trouble with other tunnels running on the PIX.

So my question is:

I want users behind PIX to be able to access a host behind netscreen but dont want that host to access my network behind PIX.... can I do that without removing sysopt.

Thanks in advance



Re: sysopt on my pix

TCP is a 2 way street. You need to allow the telnet server to send replies back to your hosts. That said, you could apply an inbound acl to the inside int of your pix to limit what goes back:

Assume the remote network is

Assume the remote telnet server is

access-list 105 deny ip any

access-list 105 permit tcp any host eq 23

access-list 105 permit ip any any

this should do what you seek:

line 1 blocks all traffic to their network.

line 2 only allows tcp traffic going to port 23 (telnet) of their telnet server

line 3 allows all traffic that does not match 1 or 2 to pass - this allows all of your other traffic to pass, just like it would before you started restricting outbound data flow (pix default is to allow all out, and block all in)

CreatePlease to create content