Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Access restriction


we have a site to site Ipsec VPN between our offices

currently one of our PIX 515E 6.3 is getting problem that we are unable to login (PIX iS running)

after rebotting it works fine but after a day again it remains same

so we are suspecting some virus trafffic coming through the VPN

can anyone help us how to track the these type of packet in pIX and also we are planning to restrict the traffic coming through the VPN

In the encryption Domain ACL can we define the port based ACL access OR we will allow the traffic based on subnet in Encryption domain and

restrict them by Access-group binding OUTBOUND in INSIDE Interface

Which one will be right



Re: VPN Access restriction

The best way to filter traffic over a VPN, in my opinion, is:

1) build the Encryption domain based on subnets for all IP.

2) add entries to the inbound ACL on the outside interface (assuming that's where the VPN terminates) to filter traffic as desired.

3) enter "no sysopt connection permit-ipsec" to force ALL vpn traffic through this ACL.

"sysopt connection permit-ipsec" is enabled by default and "Implicitly permits any packet that comes from an IPSec tunnel, and bypasses the checking of an associated access-list, conduit, or access-group command statement for IPSec connections". Remember that this affects all VPNs so you must have the necessary rules in the ACL beforehand.

It might be a good idea to set up syslog on your firewall so you can capture any messages from the time of it freezing up.