-----Original Message-----
Subject: [fw-wiz] PIX 6.x - Acces rules on a VPN tunnel.

> I am poking around the PDM on a PIX running 6.3(5) and I see a checkbox in

the VPN System
> Options pane labelled "Bypass access check for all IPSec traffic". I want

to be able to
> control the traffic across the VPN so I would think I need to uncheck this

box. When I do
> this, all traffic across the VPN tunnel stops. I try to add some rules to

the access rules
> pane to permit traffic across but nothing I do makes me able to get across

the VPN.

That check box in PDM is really 'sysopt connect permit-ipsec' in the actual
config. Unfortunately you will see this in most of Cisco's example
documentation and therefore a lot of PIX firewalls in production are
configured this way as well.

> Am I missing something?

Hard to know without seeing the config. Common mistakes include trying to
use the access-list referenced by the 'crypto map match' to do filtering,

Writing access-lists for VPN tunnels is more confusing on a PIX because the
access-list is tied to an interface, and depending on how you want to write
the rules, it can be tricky. It also doesn't help that PIX uses three
different access-lists to describe filtering, NAT, and SA's for a single VPN

> Ultimately, I want to have control over what traffic can flow between the

two sites through
> the VPN tunnel. Can somebody lend me a clue as to how to do this?

Working from a situation where everything works but you're not filtering on
data traversing the tunnel, all you should have to do in theory is add
entries to your external access-list (this is the one designated by
'access-group [aclname] in interface outside') that allow the traffic you
want to allow in and then issue 'no sysopt connection permit-ipsec' (or
uncheck that box) and clear the SA's so the tunnel will restart.

That should be it. But it may not be. If you've already tried this or you
try it and it fails, consider sanitizing the relevant parts of your PIX
config and posting them to the list. It certainly won't hurt in trying to
troubleshoot your issue.


firewall-wizards mailing list