I have been working with the PIX for about a year but have just started to write VPN configs.
Could someone please clarify for me the relationship between the "sysopt connection permit-ipsec" statement, the "crypto map...match address" statement and the VPN interface ACL? From what I understand about "sysopt connection permit ipsec", this statement allows decrypted VPN traffic to bypass any ACL bound to the crypto interface as well as any conduit statements. The "crypto map ...match address" defines the 'interesting traffic' that will initiate the tunnel.
However, my collegue at work insists that in order run, say, an ftp server on the VPN tunnel, we have to define an access-list on the VPN interface (which happens to be our "outside" interface) which defines the destination addresses that we will allow to connect to the ftp server, once the tunnel is up. IS THIS CORRECT? It seems to me that the "sysopt connection" statement precludes the need for further ACLs at the VPN interface.
Somewhat confused here, TIA!
Re: sysopt connection permit-ipsec
12 years 10 months ago #10550
The answer to your question is simple, and one I think you may like to hear.
You are correct. Your friend is wrong.
You can easily find the 'proof' in Cisco's PIX command reference for the sysopt permit ipsec statement.
If the sysopt statement is NOT in the config, then yes, you will need to specify the unencrypted traffic you want to permit inbound on an ACL or conduit - but again, ONLY if the sysopt is NOT configured.
The whole purpose of the sysopt permit ipsec statement is to make it so you could easily 'trust' tunneled traffic on your untrusted ingress interface - without having to make crazy modifications to your ACL's.
You are correct on your other statements too...
the Crypto map ACL defines the 'encryption domain', or the intersting traffic, or the source and destination networks permitted through the VPN tunnel. Some people just specify the souce and destination IP addresses or subnets, others go down to the port level. If you're talking LAN-to-LAN tunnels, then you would want to make sure that the other side of the tunnel can support port-based encryption domains before you try to use it.
If you are doing LAN-to-LAN tunnels, especially with, say, 3rd party companies that you don't necessarily trust or want to have full access to your network, then you'd want to make sure you don't have the sysopt permit ipsec turned on, and use the outside interface ACL to filter the traffic.
Some people try to use the VPN tunnel ACL to filter traffic - it's not something I recommend as a best practice.
If you're strictly doing all internal/trusted LAN-to-LAN, or just remote-access VPN, then the sysopt is the way to go.