Jeremy,For example we have:PC1 ------ int1[PIX]int2 ----VPN----[PIX] ------PC2and you need to block TELNET from PC2 to PC1Just add:ACL 101 deny host PC1 eq 23 host PC2 gt 1023 (block response)ACL 101 .....and apply ACL 101 to int1 to filter inbound...
Jeremy,Yes, that's correct, you cannot evaluate whether you want or not to accept the packet when it is still encrypted. But if you really want to filter the traffic, you can do this on other interfances of the PIX, there is no need to use for these ...
But you can use inbound access list.Any traffic based on TCP can be blocked because attacker will never establish connection.Any UDP traffic from LAN1 can be blocked too.Any ICMP reply traffic too.
For example you have:LAN1 ---- int1[Cisco]int2 ------>VPNlink<-------- int3[Cisco]int4 -------- LAN2You can check security of decrypted traffic on the following interfaces:int1 inbound (Traffic from LAN1 to LAN2)int1 outbound (Traffic from LAN2 to L...