Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

use of ACL with IPSEC to restrict some hosts

I have the vpn set up between a pix and netscreen and everything works.

I have no control over the netscreen or its network. It has one host and clients on the inside of the pix have to telnet to the host.

I want to make sure that I protect my network from that machine. I know there has to be an access-list on the outside interface of my box...buty for that I have to remove:

sysopt connection permit-ipsec

But I dont want to remove the above command as I will run into trouble with other tunnels running on the PIX.

So my question is:

I want users behind PIX to be able to access a host behind netscreen but dont want that host to access my network behind PIX.... can I do that without removing sysopt.

Thanks in advance


Community Member

Re: use of ACL with IPSEC to restrict some hosts

Nope! Removing the sysopt connection permit-ipsec command is your only option.

CreatePlease to create content