Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with PIX 6.3.x and 7.x.

Hi all,

I have very basic question related to PIXs and VPNs. I know that basic configuration VPN site-to-site started

with enabling esp or ah and isakmp from remote peer. You can do this with sysopt connection permit-ipsec or permit it with ACL. But from version PIX OS 6.x over there is no need to configure explicitly this with above mentioned config and VPN will finction.

So my question is ... should I use it

(explicit ACL or sysopt) in PIX? I mean both versions 6.x and 7.x of PIX.




Re: VPN with PIX 6.3.x and 7.x.

the way pix handles vpn is a bit different to router. with router, inbound acl needs to include the udp500, udp4500, and esp before a tunnel can be established. however, there is no such restriction with pix. yes, in other words, it's not feasible to restrict which host can initiate vpn to pix (i guess it's a vulnerability).

the command "sysopt connection permit-ipsec" is then purely for traffic after decryption.

with pix v6.x, assuming you prefer to restrict what remote vpn user can do. the only way is to disable the command "sysopt connection permit-ipsec" and then configure inbound acl.


no sysopt connection permit-ipsec

access-list inbound permit tcp host eq 3389

access-group inbound in interface outside

with these commands, remote vpn users can only rdp to the terminal server and nothing else.

with pix/asa v7, vpn filter can be applied to individual user. thus i personally will leave the command "sysopt connection permit-ipsec" on, and restrict user by vpn filter. it's great, you should check this out.


username password ********

username attributes

vpn-filter value vpn_filter_cisco

access-list vpn_filter_cisco permit tcp host eq 3389

CreatePlease login to create content