02-08-2008 10:36 AM - edited 02-21-2020 03:32 PM
I have an IPSec Site to Site VPN tunnel that terminates on the outside interface of the firewall. My ftp server sits in a DMZ. The DMZ has an access-list applied to the interface. When I create the tunnel group for the Site to Site I create a tunnel group and group policy and manage the policy with filters. The filter looks like an access-list. Are both the filter and interface ACL working together? Does one override the other? How are these working together.
Solved! Go to Solution.
02-14-2008 11:39 AM
When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.
02-14-2008 11:33 AM
This document has configuration information regarding IPsec.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
02-21-2008 03:32 PM
Thanks
02-21-2008 03:32 PM
Thanks
02-14-2008 11:39 AM
When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide