02-26-2009 12:38 AM - edited 02-21-2020 03:19 AM
Hi all. My headquarters office is link to all other subsidiary office using site to site vpn. Currently i need to implement an accesslist on each of the pix/asa firewall of my subsidiary to limit what they can access on my headquarters. This accesslist is applied to the inside interface of my subsidiary firewalls. Hence i would like to know if it is possible to do the restriction of incoming traffic from site to site vpn on my headquarters asa5510 firewall instead of implementing the restriction on each of my subsidiary firewall. Thks in advance.
02-26-2009 05:16 AM
Hi Wenbin li
This should be no problem at all.
If you apply an ACL outbound on your inside interface of your HQ ASA, you will be able to restrict what the VPN's can or cannot access and then use generic ACL's for yor encryption domains for the IPSec setup.
but also bear in mind that this ACL will control access to ALL traffic entering the inside network so you will need entries for existing access.
02-26-2009 07:41 PM
Hi adam,
Thk you for your advise. However my HQ is using pix515e instead of asa5510. It seems that for pix i cannot apply acl on outbound traffic on my inside interface. Any advise on how i can overcome this? Thks in advance.
02-26-2009 07:55 PM
Hi adam,
My pix is using version 6.3. Do i need to upgrade to version 7 in order to apply acl on outbound traffic coming from my inside interface?
02-27-2009 01:35 AM
Hi Wenbin
Yes you will, you only have the option of applying ACL's inbound on your current OS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide