09-11-2007 01:18 AM
Hi all. Right now my site to site vpn between 2 cisco pix firewall are working fine. But i would like to restrict the vpn traffic on both sides. After i have created the accesslist to limit the vpn traffic, should i set "no sysopt connection permit ipsec" for the restriction to take effect? Thks in advance.
09-11-2007 02:04 AM
sysopt connection permit ipsec was used in older PIX software to allow IPsec.
Adjusting the ACL's will suffice. Keep in mind that these ACL's must match on both ends of the link.
regards,
Leo
09-12-2007 08:59 AM
Leo
I differ slightly in what this command does. I don't think it is used just on older version of the pix software to allow IPSEC. It and the updated "sysopt connection permit-vpn" are used to bypass any ACL checking on the interface where the IPSEC tunnel terminates. This is still a perfectly valid thing to want to do on pix and ASA devices.
By disabling it yes it will mean any IPSEC traffic once decrypted will be checked against any ACL applied on the interface that the tunnel terminates on. The ACL's do not need to match on both ends, that is the crypto map access-list.
Jon
09-12-2007 10:22 AM
haha....and those don't really match, they are mirrored. :) (I know you know this)
09-12-2007 11:26 PM
Hi Adam
Mirrored is a better description than matched :)
Yes i did know this but i was talking about the ACL's applied to the interface not the crypto access-list. I believe the OP was talking about turning off sysopt connection permit-ipsec and then controlling traffic via the ACL applied to the outside interface. I just thought it was worth pointing out that the ACL's on the interfaces did not have to match at both ends.
Jon
09-13-2007 12:59 AM
Adam
Just reread this and realised i prattled on about which ACL i was talking about thinking you had misunderstood which you hadn't.
Sometimes posts + my slowness just doesn't work :)
Jon
09-12-2007 10:45 AM
Thanks Jon, I must admit that I haven't checked the exact function. In practice, I never cane across this because thus far, I have always terminated the VPN's on the PIX/ASA itself. You do not need it in this case.
I also remenber having read about some sysopt commands becoming obsolete, that was what I had in mind when I wrote the response.
About the ACL's not matching: I meant the crypto acl's. I have noticed inpredictable results with IOS-based VPN tunnels when the ACL's on both devices did not allow the same traffic. In that case, one side would drop IPsec packets after decryption due to not passing the crypto-acl. It is good practice to configure them symmetrically.
regards,
Leo
09-12-2007 11:23 PM
Leo
Okay that makes sense. Yes i agree that the crypto access-lists really should match or at least be mirrored otherwise things generally don't work.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide