sysopt permit-ipsec

I installed a Pix 501 today and configured an IPSec VPN to another site managed by a third party. Everything went okay and the VPN works fine. Once everything was up the sysadmin at this company asked me if the site had direct internet access, which they did so he asked me to block all outbound traffic to the internet to force everything down the VPN to the proxy server at head office.

As my config had 'sysopt connection permit-ipsec' I presumed that I could just put a 'deny all' ACL on the inside interface to block all traffic and that any traffic matching the crypto access list for the VPN would by-pass the 'deny all' acl on the inside interface. However once I had applied it the VPN connectivity stopped and a look at the logs showed the traffic being blocked by the inside acl. So I added a line above the deny all statement to permit this local network to the central office network and that fixed the VPN. If I look at the acl I can see the hit count going up on the line that permit VPN traffic as well as the crypto acl.

My question is, am I correct in thinking that the 'sysopt connection permit-ipsec' *should* bypass the inside acl if the traffic is matched by the crypto acl? This is on 6.3(5).



Reply to
Loading thread data ...

I notice the same behavior on 6.3(3).

The documentation say

connection permit-ipsec Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.

so i guess it indicates that it only applies on the outside access-group , since the traffic hitting the inside interface is not coming from an IPSec tunnel, but is going TO an IPSec tunnel.

Reply to

Certainly looks that way. Thanks anyway.


Reply to
Chris Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.