02-05-2003 08:12 AM - edited 02-21-2020 12:19 PM
Hi!
What does the "sysopt connection permit-ipsec" command exactly do:
- permits ESP and UDP/500 to terminate on PIX?
- permits ESP and UDP/500 to pass thru PIX without ACL checking?
- permits all that is encapsulated within the IPSec packet to pass thru PIX
without ACL checking?
If this command is *not* used, what does PIX ACL (on outside intf) exactly do:
- check outer IP header only and protocol=ESP?
- check inner IP header only, protocol and ports (TCP/UDP)?
- check *both* outer IP header, protocol=ESP and inner IP header, protocol
(TCP/UDP) and TCP/UDP ports? IOS routers do this way.
Oleg Tipisov,
REDCENTER,
Moscow
02-05-2003 08:21 AM
The "sysopt connection permit-ipsec" enables the use of IPSEC on the PIX to be used for encryption by the PIX, for use in VPN, etc. The ACL is used to allow traffice through the PIX. If you want the VPN to terminate and be accepted by the PIX you use the "sysopt connection permit-ipsec" command. If you want the VPN to pass through the PIX to an internal server you would use an ACL. I hope that makes sense.
02-05-2003 09:14 AM
What I really want to know is: If the "sysopt connection permit-ipsec" is used
can I deny access to the inside network for VPN users and allow them
to only access dmz network? (Note that PIX doesn't support "out" ACLs,
only "in".) If *yes*, if an "in" ACL on the outside interface can help, what
the "sysopt" command was designed for??? If *no* ... VPN code must be
rewritten completely in PIX OS.
Oleg Tipisov,
REDCENTER,
Moscow
02-05-2003 10:27 AM
You can control the access of the VPN. Create an access-list using your DMZ IP Addresses and the IP Addresses you VPN Clients will be using. Then add the following command.
nat (inside) 0 access-list 101
This tells the PIX not to NAT that traffic. All internal network traffic will not meet the criteria, and will be NATed and no eligible for the Tunnel. The ACL you create will not be assigned to an interface, it is just used for the NAT ID 0, which is called "NO NAT"
There are a few good documents on setting this up. If you let me know exactly what you are planning I can point you to the right one. Is this a PIX-to-PIX VPN, or a PIX to VPN Client, or PIX to another device?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide