Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
5
Replies

Filter on IPsec tunnel content

gmassen
Level 1
Level 1

‎02-09-2004 06:18 AM - edited ‎02-21-2020 01:01 PM

Hello,

I have a (possibly) unusual question: I would like to establish an IPsec tunnel (on a PIX), with a certain policy (e.g. tunnel all traffic from 10.1.0.0 to 10.2.0.0). However, no everything from one net to the other is allowed.

Is there a way to make the unencrypted traffic pass through an access-list? I was under the impression that "no sysopt connection permit-ipsec" would work, but either it does not, or I do not know what access-list to use...

Any comment would be appreciated....

Best regards,

gi

Labels:
0 Helpful
5 Replies 5

mikegallagher
Level 1
Level 1

‎02-09-2004 07:03 AM

"no sysopt connection permit-ipsec" is the default mode for this sysopt, and is necessary to keep it at "no" if you would like to apply an acl to the ingress interface.

As far as the acl to use, that's something you'll have to construct based on what you would like to permit or deny.

HTH,

Mike

0 Helpful

gmassen
Level 1
Level 1
In response to mikegallagher

‎02-09-2004 07:40 AM

Hello Mike,

I do have an acl on the ingress interface, but it does not show any matches on my traffic (which passes).

Besided I'm wondering if that is possible at all: the acl on the outside interface is already passed by the encapsulated traffic. So when the IPsec part is removed, is the traffic supposed to go through the same acl again???

If yes, then something is probably wrong with my config. If no, where could it then be filtered?

Gilles

0 Helpful

mikegallagher
Level 1
Level 1
In response to gmassen

‎02-09-2004 08:07 AM

It could be your config. If you post the relivant parts, we can have a look.

Mike

0 Helpful

gmassen
Level 1
Level 1
In response to mikegallagher

‎02-10-2004 05:37 AM

Hello Mike,

I must apologize: it actually was my config. The packets were allowed by an earlier rule than the one I was watching, and so I missed the point.

I'm glad though that it is now clear to me that one packet goes twice through the same acl... it is useful but it "feels" weird.

Regards,

Gilles

0 Helpful

mikegallagher
Level 1
Level 1
In response to gmassen

‎02-10-2004 08:10 AM

Ok, well, good to hear the issue is resolved.

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents