Point-to-Point on PIX - Page 4

In this segment from the Cisco Press book, Cisco Secure Internet Security Solutions, you'll learn commands and parameters for configuring your VPN with Point-to-Point Tunneling Protocol for a PIX Firewall.

 By Cisco Press
Page 4 of 4   |  Back to Page 1
Print Article

sysopt Command
The previous commands shown in this example have set up the PPTP tunnel and users. What has not been done is to allow the users access through the firewall. The sysopt connection permit-pptp command allows for all authenticated PPTP clients to traverse the PIX interfaces. The sysopt command is used to change the default security behavior of the PIX Firewall in a number of different ways. There are many forms of this command, each acting slightly differently. Table 4-5 contains a list of the sysopt commands and a description of each of their functions. Each of these commands also has an associated no form of the command, which is used to reverse the behavior associated with the command.

Table 4-5: sysopt Commands

Command Description
sysopt connection enforcesubnet Prevents packets with a source address belonging to the destination subnet from traversing an interface. A packet arriving from the outside interface having an IP source address of an inside network is not allowed through the interface.
sysopt connection permit-ipsec Allows traffic from an established IPSec connection to bypass the normal checking of access lists, conduit commands, and access-group commands. In other words, if an IPSec tunnel has been established, this command means that the traffic will be allowed through the interface on which the tunnel was terminated.
sysopt connection permit-pptp Allows traffic from an established PPTP connection to bypass conduit and access-group commands and access lists.
sysopt connection tcpmss bytes Forces TCP proxy connections to have a maximum segment size equal to the number specified by the parameter bytes. The default for bytes is 1380.
sysopt connection timewait Forces TCP connections to stay in a shortened time-wait state of at least 15 seconds after the completion of a normal TCP session ends.
sysopt ipsec pl-compatible Enables IPSec packets to bypass both NAT and the ASA features. This also allows incoming IPSec tunnels to terminate on an inside interface. For a tunnel crossing the Internet to terminate on the inside interface, the inside interface must have a routable IP address.
sysopt nodnsalias outbound Denies outbound DNS A record replies.
sysopt noproxyarp interface_name Disables proxy ARPs on the interface specified by interface_name.
sysopt security fragguard Enables the IP Frag Guard feature, which is designed to prevent IP fragmentation attacks such as LAND.c and teardrop. This works by requiring responsive IP packets to be requested by an internal host before they are accepted and limits the number of IP packets to 100 per second for each internal host.

Cisco Secure Internet Security Solutions -- Click to go to publisher's site --
The next segment from Cisco Secure Internet Security Solutions -- Chapter 4 will cover VPN with IPSec and Manual Keys

This article was originally published on Oct 17, 2001
Get the Latest Scoop with Networking Update Newsletter