Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

understanding access-list on pix


I´m a little bit confused about acccess-lists on the ix.

My questions:

a) Does an access-list on an inside (higher security interface contain a implicit (not viewable) "deny any any" statement?

b) Assume IPSEC clients are terminated on the outside interface and sysopt conn permit-ipsec is set:

1) Can IPSec users access the whole network? (all interfaces on the pix)

Are static/nat statements for the inside networks necessary to gain access from the ipsec users ip range?

2) Do I have to permit anything on the access-lists of my inside interface(s) (including DMZ)?

3) What would happen if sysopt conn permit-ipsec is NOT set?

Thanks in advance for answering my (stupid?) questions.


New Member

Re: understanding access-list on pix


ACL's on a PIX are a bit different if you're used to conduits. In answer to your questions:

a) Yes, it most certainly does. When you apply an ACL on a higher security interface start by blocking the outbound traffic you don't want, then permit everything else (or write a list of explicit permits which would not be easy).

b-1) Yes, they have full access except in two cases. First, if you're using vpngroups with split tunneling you'll find that they can only access resources in the internal networks you listed when you defined the split tunneling ACL. Second, if you're using authorization you can restrict access with using an ACL. This requires a AAA server. No statics or conduits are required.

b-2) It depends. For just generic client VPN, no. Keep in mind that as soon as you apply an ACL to a PIX interface the usual higher-to-lower-is-permited behavior changes. For example, if I write an ACL to permit a DMZ host access to a higher-security network, I have to make sure that my ACL then explicitly permits traffic to lower-security interfaces, or the internet (assuming I want this). The implicit deny of a Cisco ACL is very much in effect.

b-3) I don't know, I haven't tried it. My understanding is that you'd have to write an outside interface ACL that explicity permits IPSec traffic. If you want to restrict VPN users there are easier ways.

Your questions aren't stupid, it's not a clear-cut subject. Let me know if anything needs clarification. Have a nice weekend.


New Member

Re: understanding access-list on pix

Although Cisco says it is not recommended I have had great success in using Conduits for Firewall Rules and ACL's for VPN rules.

I feel that the limitation of only allowing inbound ACL's makes the config on a Multi-Interface PIX way too complex.

New Member

Re: understanding access-list on pix


Can you please help with links were I can find the split tunneling and authorization.



CreatePlease to create content