02-09-2004 06:18 AM - edited 02-21-2020 01:01 PM
Hello,
I have a (possibly) unusual question: I would like to establish an IPsec tunnel (on a PIX), with a certain policy (e.g. tunnel all traffic from 10.1.0.0 to 10.2.0.0). However, no everything from one net to the other is allowed.
Is there a way to make the unencrypted traffic pass through an access-list? I was under the impression that "no sysopt connection permit-ipsec" would work, but either it does not, or I do not know what access-list to use...
Any comment would be appreciated....
Best regards,
gi
02-09-2004 07:03 AM
"no sysopt connection permit-ipsec" is the default mode for this sysopt, and is necessary to keep it at "no" if you would like to apply an acl to the ingress interface.
As far as the acl to use, that's something you'll have to construct based on what you would like to permit or deny.
HTH,
Mike
02-09-2004 07:40 AM
Hello Mike,
I do have an acl on the ingress interface, but it does not show any matches on my traffic (which passes).
Besided I'm wondering if that is possible at all: the acl on the outside interface is already passed by the encapsulated traffic. So when the IPsec part is removed, is the traffic supposed to go through the same acl again???
If yes, then something is probably wrong with my config. If no, where could it then be filtered?
Gilles
02-09-2004 08:07 AM
It could be your config. If you post the relivant parts, we can have a look.
Mike
02-10-2004 05:37 AM
Hello Mike,
I must apologize: it actually was my config. The packets were allowed by an earlier rule than the one I was watching, and so I missed the point.
I'm glad though that it is now clear to me that one packet goes twice through the same acl... it is useful but it "feels" weird.
Regards,
Gilles
02-10-2004 08:10 AM
Ok, well, good to hear the issue is resolved.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide