Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX VPN Firewall-Rules

Reply
Thread Tools

PIX VPN Firewall-Rules

 
 
Michael Kiessling
Guest
Posts: n/a
 
      12-18-2003
Hi,

I want to restrict the access from a vpn tunnel inside my LAN.
Where do I have to set the access-list?
On the outside interface, on the inside interface (I don't think
this works), or do I have set the rules at the access-list which
desrcibes the tunnel (encryption domain)?

I don't have the possibilitie to set up a test environment - so maybe
someone did this before.

Thanky ou,
Michael
 
Reply With Quote
 
 
 
 
Martin Bilgrav
Guest
Posts: n/a
 
      12-18-2003
depends on were your have sysopt connection permit-ipsec or just plain acl
for ipsec traffic.

regards
martin

"Michael Kiessling" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> Hi,
>
> I want to restrict the access from a vpn tunnel inside my LAN.
> Where do I have to set the access-list?
> On the outside interface, on the inside interface (I don't think
> this works), or do I have set the rules at the access-list which
> desrcibes the tunnel (encryption domain)?
>
> I don't have the possibilitie to set up a test environment - so maybe
> someone did this before.
>
> Thanky ou,
> Michael



 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      12-18-2003
On Thu, 18 Dec 2003 09:10:25 -0600, Michael Kiessling wrote:

> Hi,
>
> I want to restrict the access from a vpn tunnel inside my LAN. Where do
> I have to set the access-list? On the outside interface, on the inside
> interface (I don't think this works), or do I have set the rules at the
> access-list which desrcibes the tunnel (encryption domain)?
>
> I don't have the possibilitie to set up a test environment - so maybe
> someone did this before.
>
> Thanky ou,
> Michael


If you disable sysopt connection permit-ipsec, then the access-list
applied to the interface the tunnel terminated on will filter traffic
that arrives from the tunnel.

If you leave the sysopt in place, you can filter traffic on the internal
interface(s) to prevent traffic from entering the pix before it hits the
tunnel.

The second option is effective if you have control of both sides, as it
does not filter traffic from the other peer, but rather filters what you
send to them.

Rik Bain
 
Reply With Quote
 
Michael Kiessling
Guest
Posts: n/a
 
      12-19-2003
> If you disable sysopt connection permit-ipsec, then the access-list
> applied to the interface the tunnel terminated on will filter traffic
> that arrives from the tunnel.


I think that's what I'm looking for. Thank you!






 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
PIX-to-PIX vpn + remote Access VPN not working Marko Uusitalo Cisco 1 04-11-2005 12:45 PM
mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501 Tom Cisco 4 11-17-2004 02:18 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments