Re: sysopt permit-ipsec

---

• From: "mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx>
• Date: Wed, 16 Nov 2005 16:39:14 GMT

---

I notice the same behavior on 6.3(3).

The documentation say

connection permit-ipsec
Implicitly permit any packet that came from an IPSec tunnel and bypass
the checking of an associated access-list, conduit, or access-group command
statement for IPSec connections.



so i guess it indicates that it only applies on the outside access-group ,
since the traffic hitting the inside
interface is not coming from an IPSec tunnel, but is going TO an IPSec
tunnel.



"Chris" <chris@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ZdydnavOQv7BhufeSa8jmw@xxxxxxxxxxxxxx
>I installed a Pix 501 today and configured an IPSec VPN to another site
>managed by a third party. Everything went okay and the VPN works fine. Once
>everything was up the sysadmin at this company asked me if the site had
>direct internet access, which they did so he asked me to block all outbound
>traffic to the internet to force everything down the VPN to the proxy
>server at head office.
>
> As my config had 'sysopt connection permit-ipsec' I presumed that I could
> just put a 'deny all' ACL on the inside interface to block all traffic and
> that any traffic matching the crypto access list for the VPN would by-pass
> the 'deny all' acl on the inside interface. However once I had applied it
> the VPN connectivity stopped and a look at the logs showed the traffic
> being blocked by the inside acl. So I added a line above the deny all
> statement to permit this local network to the central office network and
> that fixed the VPN. If I look at the acl I can see the hit count going up
> on the line that permit VPN traffic as well as the crypto acl.
>
> My question is, am I correct in thinking that the 'sysopt connection
> permit-ipsec' *should* bypass the inside acl if the traffic is matched by
> the crypto acl? This is on 6.3(5).
>
> Thanks,
>
> Chris.
>
>


.

---

• Follow-Ups:
  • Re: sysopt permit-ipsec
    • From: Chris

• References:
  • sysopt permit-ipsec
    • From: Chris

• Prev by Date: Re: configure modem help
• Next by Date: Re: sysopt permit-ipsec
• Previous by thread: sysopt permit-ipsec
• Next by thread: Re: sysopt permit-ipsec
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: WRT54GL with DD-WRT VPN firmware - wheres the beef? ... this morning I was messing around with the built-in vpn ... I created an incoming connection and forwarded port ... Sonicwall prefers an IPSec VPN. ... people in the remote office need to access an Excel spreadsheet that is on ... (alt.internet.wireless) Re: WRT54GL with DD-WRT VPN firmware - wheres the beef? ... this morning I was messing around with the built-in vpn ... I created an incoming connection and forwarded ... Sonicwall prefers an IPSec VPN. ... people in the remote office need to access an Excel spreadsheet that is ... (alt.internet.wireless) Re: vpn, pptp, linux & pocketPC ... windows mobile 2003 supports PPTP and L2TP vpn connections. ... straight true IPSec so you won't be able to connect directly to an IPSec ... > GPRS, i can make the GPRS connection without problems, and the VPN ... (microsoft.public.pocketpc) Re: SOHO VPN design thoughts ... having serious probs on a soho97 with dynamic-map to get a connection from a ... client on the net using cisco vpn 4.0.1 to terminate on the cisco. ... > I have a C836 connected to a Soho96 with IPsec, ... And both accept EZvpn connection. ... (comp.dcom.sys.cisco) VPN Slowness ... The connection in transfer #2 goes stalled randomly and then picks back up. ... Transfer #1 is straight across the ‘net with no VPN. ... permit udp any host x.x.x.x eq 1723 ... (microsoft.public.windows.server.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)