Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
3
Replies

sysopt connection permit-ipsec and ACL

ovt
Level 4
Level 4

‎02-05-2003 08:12 AM - edited ‎02-21-2020 12:19 PM

Hi!

What does the "sysopt connection permit-ipsec" command exactly do:

- permits ESP and UDP/500 to terminate on PIX?

- permits ESP and UDP/500 to pass thru PIX without ACL checking?

- permits all that is encapsulated within the IPSec packet to pass thru PIX

without ACL checking?

If this command is *not* used, what does PIX ACL (on outside intf) exactly do:

- check outer IP header only and protocol=ESP?

- check inner IP header only, protocol and ports (TCP/UDP)?

- check *both* outer IP header, protocol=ESP and inner IP header, protocol

(TCP/UDP) and TCP/UDP ports? IOS routers do this way.

Oleg Tipisov,

REDCENTER,

Moscow

Labels:
0 Helpful
3 Replies 3

wolfrikk
Level 3
Level 3

‎02-05-2003 08:21 AM

The "sysopt connection permit-ipsec" enables the use of IPSEC on the PIX to be used for encryption by the PIX, for use in VPN, etc. The ACL is used to allow traffice through the PIX. If you want the VPN to terminate and be accepted by the PIX you use the "sysopt connection permit-ipsec" command. If you want the VPN to pass through the PIX to an internal server you would use an ACL. I hope that makes sense.

0 Helpful

ovt
Level 4
Level 4
In response to wolfrikk

‎02-05-2003 09:14 AM

What I really want to know is: If the "sysopt connection permit-ipsec" is used

can I deny access to the inside network for VPN users and allow them

to only access dmz network? (Note that PIX doesn't support "out" ACLs,

only "in".) If *yes*, if an "in" ACL on the outside interface can help, what

the "sysopt" command was designed for??? If *no* ... VPN code must be

rewritten completely in PIX OS.

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful

wolfrikk
Level 3
Level 3
In response to ovt

‎02-05-2003 10:27 AM

You can control the access of the VPN. Create an access-list using your DMZ IP Addresses and the IP Addresses you VPN Clients will be using. Then add the following command.

nat (inside) 0 access-list 101

This tells the PIX not to NAT that traffic. All internal network traffic will not meet the criteria, and will be NATed and no eligible for the Tunnel. The ACL you create will not be assigned to an interface, it is just used for the NAT ID 0, which is called "NO NAT"

There are a few good documents on setting this up. If you let me know exactly what you are planning I can point you to the right one. Is this a PIX-to-PIX VPN, or a PIX to VPN Client, or PIX to another device?

0 Helpful
Customers Also Viewed These Support Documents