Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX site to site VPN

When doing site-site VPN on PIX and using the "sysopt connection permit-ipsec" command does this mean that once de-crypted all traffic will be allowed through.

Every example of PIX site-site I have looked at makes no mention of any access-lists applied to the outside interface when "sysopt connection permit-ipsec" is configured.

I thought once de-crypted the traffic would then need to match an access-list to continue it's journey to a higher security interface.

Please help, I'm confused.

1 REPLY
New Member

Re: PIX site to site VPN

You are correct. When using "sysopt connection permit-ipsec" it bypasses all access-list checks. In order to have traffic match acls you need to disable it and include the VPN traffic in you acl on the outside interface.

145
Views
0
Helpful
1
Replies