Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN & a PIX501

Hi, I have recently finished presenting the 501on a roadshow in conjunction with Cisco. During my time I got asked a alot of tricky questions which I was able to field most of bar a couple. Both were related to the way the PIX works in with a VPN tunnel.

With a 10 user licence on a PIX 501 will the 5 allowed VPN peers take up 5 licences while the tunnels are up?

When a tunnel is up is it subject to the same ACL rules as normal traffic would be or does the VPN tunnel circumnavigate the ACL rule base?

Thanks and I look forward to your response.



  • Other Security Subjects
New Member

Re: VPN & a PIX501

The license question is a good one. I look forward to someone sharing that answer.

As far as the ACL question the VPN traffic appears to get pulled into the tunnel based on the MATCH ADDRESS in the Crypto statement before applying interface ACLs. Our 501's use default ACL configurations which allow no inbound sessions yet we can create sessions in and out through the tunnel. Good luck finding details like that written down somewhere.

You next question is probably how to apply an ACL to tunnel traffic? Just don't include it in the MATCH ADDRESS ACL. Then filter it like normal.

Of course... test it yourself to be sure!