From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Tue Sep 05 2006 - 02:01:35 ART
AFAIK,
"permit-ipsec" permits IPsec traffic that terminates on PIX itself, not
across the PIX .
That is, when you enable ISAKMP on outside interface, you probably don't
wan't
PIX to accept ESP/AH packets from anywhere. Just from established IPsec
tunnels.
HTH
2006/9/5, 2nd CCIE <doubleccie@yahoo.com>:
>
> Hi Folks
> I am trying to establish a tunnel between two routers across a PIX
> firewall .
>
> when i explicitly allow upd 500 and ESP on the PIX outside interface
> ..everything goes well...however when i replace that with the command sysopt
> conn permit-ipsec ..it does not work
>
> according to the Cisco docs ..this command is used to allow the IPSEC
> traffic to traverse the PIX..but this does not happen ..what i am missing
> here ?
>
> any help will be appreciated
>
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
> countries) for 2"/min or less.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART