From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Tue Sep 05 2006 - 02:54:35 ART
hey, i think i get it :)
it seems like that "decapsulated" traffic bypasses access-list check
with this command.
Just like with IOS, until 12.3(8)T when they double check inbound
access-list for
decrypted packets (again).
It looks like with this pix command, decrypted packets bypass inbound ACL.
Thanks a lot for that question, I was always guessing what this command
actually
does :)
HTH
2006/9/5, 2nd CCIE <doubleccie@yahoo.com>:
>
> thanks for confirming that ..however i will copy the command reference as
> it is on the command reference guide which caused me this confusion , as you
> will see it says connections that pass through the pix ..nothing mentioned
> about terminating on the PIX
>
> thanks anyway
>
>
> sysopt connection permit-ipsec
> Use the sysopt connection permit-ipsec command in IPSec configurations
> to permit IPSec traffic to pass through the PIX Firewall without a check of
> conduit or access-list command statements.
> An access-list or conduit command statement must be available for
> inbound sessions. By default, any inbound session must be explicitly
> permitted by a conduit or access-list command
> statement. With IPSec protected traffic, the secondary access list check
> could be redundant. To enable
> IPSec authenticated/cipher inbound sessions to always be permitted, use
> the sysopt connection permit-ipsec.
>
>
>
>
> Petr Lapukhov <petr@internetworkexpert.com> wrote:
> AFAIK,
>
> "permit-ipsec" permits IPsec traffic that terminates on PIX itself, not
> across the PIX .
>
> That is, when you enable ISAKMP on outside interface, you probably don't
> wan't
> PIX to accept ESP/AH packets from anywhere. Just from established IPsec
> tunnels.
>
> HTH
>
> 2006/9/5, 2nd CCIE <doubleccie@yahoo.com>: Hi Folks
> I am trying to establish a tunnel between two routers across a PIX
> firewall .
>
> when i explicitly allow upd 500 and ESP on the PIX outside interface
> ..everything goes well...however when i replace that with the command sysopt
> conn permit-ipsec ..it does not work
>
> according to the Cisco docs ..this command is used to allow the IPSEC
> traffic to traverse the PIX..but this does not happen ..what i am missing
> here ?
>
> any help will be appreciated
>
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
> countries) for 2"/min or less.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
>
> ---------------------------------
> Get your email and more, right on the new Yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART