RE: [fw-wiz] Pass-through VPN

From: Catalina Scott Contr AFCA/EVEO (
Date: 10/22/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Increase in SSH Probing"
    To: "Fetch, Brandon" <>, <>
    Date: Fri, 22 Oct 2004 11:49:07 -0500

    Inbound traffic normally requires an access-list or conduit statement to
    allow it to pass.

    But by using the sysopt connection permit-ipsec command, the inbound
    ipsec traffic bypasses all access-lists and counduits.

    Since you can't block inbound traffic on the internal interface as you
    can with a cisco router, the traffic cannot be filtered at this point.

    To lock this traffic down, use ACLs without using the sysopt command.


    -----Original Message-----
    From: Fetch, Brandon []
    Sent: Monday, October 18, 2004 1:16 PM
    Subject: RE: [fw-wiz] Pass-through VPN

    To make sure I'm understand this correctly...

    PIX terminates a VPN on it's outside interface, or any interface with an
    Internet addressable address With the sysopt command, traffic that
    passes through that VPN tunnel from the remote site is not able to be
    ACL'ed appropriately?

    But would it not be ACL'able through it's source/destination components?
    Source being the remote site's LAN address, destination being someplace
    else behind the PIX.

    Just a bit confused on what this command truly limits/enables.


    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Increase in SSH Probing"