From: 2nd CCIE (doubleccie@yahoo.com)
Date: Tue Sep 05 2006 - 02:45:19 ART
thanks for confirming that ..however i will copy the command reference as it is on the command reference guide which caused me this confusion , as you will see it says connections that pass through the pix ..nothing mentioned about terminating on the PIX
thanks anyway
sysopt connection permit-ipsec
Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a check of conduit or access-list command statements.
An access-list or conduit command statement must be available for inbound sessions. By default, any inbound session must be explicitly permitted by a conduit or access-list command
statement. With IPSec protected traffic, the secondary access list check could be redundant. To enable
IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec.
Petr Lapukhov <petr@internetworkexpert.com> wrote:
AFAIK,
"permit-ipsec" permits IPsec traffic that terminates on PIX itself, not across the PIX .
That is, when you enable ISAKMP on outside interface, you probably don't wan't
PIX to accept ESP/AH packets from anywhere. Just from established IPsec tunnels.
HTH
2006/9/5, 2nd CCIE <doubleccie@yahoo.com>: Hi Folks
I am trying to establish a tunnel between two routers across a PIX firewall .
when i explicitly allow upd 500 and ESP on the PIX outside interface ..everything goes well...however when i replace that with the command sysopt conn permit-ipsec ..it does not work
according to the Cisco docs ..this command is used to allow the IPSEC traffic to traverse the PIX..but this does not happen ..what i am missing here ?
any help will be appreciated
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2"/min or less.
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART