Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
1
Replies

ACLs for Traffic Within VPNs

john
Level 1
Level 1

‎09-10-2003 11:22 AM - edited ‎03-09-2019 04:44 AM

I'm successfully running site-to-site and remote site VPNs on a PIX. Now, my desire is to apply ACLs to the traffic within the VPNs. How do I do it?

Labels:
0 Helpful
1 Reply 1

john
Level 1
Level 1

‎09-10-2003 01:51 PM

Here's more information:

My goal is applying ACLs to traffic within VPNs coming in from the PIX outside interface.

Let's say a site-to-site VPN is established with remote peer 111.111.111.111 using the

remote network 10.10.10.0, and a local network 192.168.200.0 terminating on the PIX dmz

interface.

....

sysopt connection permit-ipsec

....

access-list 101 permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

....

ip address dmz 192.168.200.1 255.255.255.0

....

nat (dmz) 0 access-list 102

....

crypto map site2site 10 match address 101

crypto map site2site 10 set peer 111.111.111.111

....

Now let's say, my goal is limiting traffic originating from the remote 10.10.10.0 network,

to telnet sessions on the local 192.168.250.0 dmz network, using the following

configuration commands:

....

access-list YES permit telnet 10.10.10.0 255.255.255.0 192.168.250.0 255.255.255.0

access-group YES in interface outside

....

Does this work?

If so, it seems then the PIX order of operations is decrypting the IPSec traffic coming in

from the PIX outside interface, and then applying the access-list to the decrypted

traffic.

Is this how it works? Where is this documented?

....John

0 Helpful
Customers Also Viewed These Support Documents