From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Tue Sep 05 2006 - 02:55:46 ART
Needless to say, that tunnel has to terminate on PIX interface for that
'bypass'
to be possible.
2006/9/5, Petr Lapukhov <petr@internetworkexpert.com>:
>
> hey, i think i get it :)
>
> it seems like that "decapsulated" traffic bypasses access-list check
> with this command.
>
> Just like with IOS, until 12.3(8)T when they double check inbound
> access-list for
> decrypted packets (again).
>
> It looks like with this pix command, decrypted packets bypass inbound ACL.
>
> Thanks a lot for that question, I was always guessing what this command
> actually
> does :)
>
>
> HTH
>
>
> 2006/9/5, 2nd CCIE <doubleccie@yahoo.com>:
> >
> > thanks for confirming that ..however i will copy the command reference
> > as it is on the command reference guide which caused me this confusion , as
> > you will see it says connections that pass through the pix ..nothing
> > mentioned about terminating on the PIX
> >
> > thanks anyway
> >
> >
> > sysopt connection permit-ipsec
> > Use the sysopt connection permit-ipsec command in IPSec configurations
> > to permit IPSec traffic to pass through the PIX Firewall without a check of
> > conduit or access-list command statements.
> > An access-list or conduit command statement must be available for
> > inbound sessions. By default, any inbound session must be explicitly
> > permitted by a conduit or access-list command
> > statement. With IPSec protected traffic, the secondary access list
> > check could be redundant. To enable
> > IPSec authenticated/cipher inbound sessions to always be permitted,
> > use the sysopt connection permit-ipsec.
> >
> >
> >
> >
> > Petr Lapukhov <petr@internetworkexpert.com> wrote:
> > AFAIK,
> >
> > "permit-ipsec" permits IPsec traffic that terminates on PIX itself, not
> > across the PIX .
> >
> > That is, when you enable ISAKMP on outside interface, you probably don't
> > wan't
> > PIX to accept ESP/AH packets from anywhere. Just from established IPsec
> > tunnels.
> >
> > HTH
> >
> > 2006/9/5, 2nd CCIE < doubleccie@yahoo.com>: Hi Folks
> > I am trying to establish a tunnel between two routers across a PIX
> > firewall .
> >
> > when i explicitly allow upd 500 and ESP on the PIX outside interface
> > ..everything goes well...however when i replace that with the command sysopt
> > conn permit-ipsec ..it does not work
> >
> > according to the Cisco docs ..this command is used to allow the IPSEC
> > traffic to traverse the PIX..but this does not happen ..what i am missing
> > here ?
> >
> > any help will be appreciated
> >
> >
> > ---------------------------------
> > Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
> > countries) for 2"/min or less.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > --
> > Petr Lapukhov, CCIE #16379
> > petr@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
> >
> >
> > ---------------------------------
> > Get your email and more, right on the new Yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART