Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 RA VPN filter

Is it possible to filter remote acces VPN traffic on a PIX 501 (like you can on an ASA?)

Super Bronze

Re: PIX 501 RA VPN filter


My guess would be that you can't configure VPN Filter on an PIX 501. (Quickly going through command reference for software 6.3 didnt show the command in the listing atleast or I just didnt find it)

Though I guess you could probably do the same thing on PIX 501 that I just mentioned in another post here on this forum section.

Disable to the option that lets VPN traffic pass your outside interface Access-list. In PIX 6.3 software the command format should be the following (with "no" keyword in front):

connection permit-ipsec

Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.

This would let you control remote -> local traffic in outside interface access-list and local -> remote on the PIXs interface access-lists.

I guess you can also control the remote user traffic by using split-tunneling on your VPN Client connections. Allow traffic only to certain hosts/networks behind the PIX firewall. Then again, for more presice controlling of the traffic you would have to use access-lists.

- Jouni

CreatePlease to create content