Hi Adil You need the command when you don't want to put the VPN traffic into the outside access list. Without the command you need to allow the remote end of the VPN access into your networks as well as down the VPN.
If it is a trusted site that the VPN is coming from then the command is fine. If the traffic is coming from a 3rd party and you only want to allow them access on say port 3389 then you need to use the no sysopt connection permit-vpn and then on the outside access list you would have permit tcp "remote host/network" "local host/network eq 3389 this would then only allow the rdp port. HTH Dave From: [email protected] [mailto:[email protected]] On Behalf Of Adil Pasha Sent: 22 September 2011 01:02 To: OSL Security Subject: [OSL | CCIE_Security] Very Stupid Question? When do I need this command, since my IPSec connection works without it? sysopt connection permit-vpn Best Regards. ______________________ Adil
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
