pix tunnel related acl

Discussion in 'Cisco' started by Bill F, Oct 24, 2003.

  1. Bill F

    Bill F Guest

    Can I use a deny statement in a pix acl to be used in a match statement?

    For example, I want to tunnel all traffic to the 192.168.0.0/16 space
    except for 211.0/24

    access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list 104 permit ip 192.168.207.0 255.255.255.0 192.168.0.0
    255.255.0.0
    access-list 104 deny ip 192.168.10.0 255.255.255.0 192.168.211.0
    255.255.255.0
    access-list 104 deny ip 192.168.207.0 255.255.255.0 192.168.211.0
    255.255.255.0

    thank you
    Bill F, Oct 24, 2003
    #1
    1. Advertising

  2. In article <>,
    Bill F <> wrote:
    : Can I use a deny statement in a pix acl to be used in a match statement?

    Yes, provided you are not using pre-determined SA's (Security Associations).
    I've never seen anyone use those in practice. If you -were- using
    them, then your access-list would have to consist of exact one
    'permit' entry and nothing else.

    Reference for ability to use deny: look in the PIX Command Reference
    under 'crypto map' in the Usage section description of 'crypto map
    match address':

    (Traffic that is permitted by the access list will be protected.
    Traffic that is denied by the access list will not be protected in
    the context of the corresponding crypto map entry.)


    :For example, I want to tunnel all traffic to the 192.168.0.0/16 space
    :except for 211.0/24

    :access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0
    :access-list 104 permit ip 192.168.207.0 255.255.255.0 192.168.0.0 255.255.0.0
    :access-list 104 deny ip 192.168.10.0 255.255.255.0 192.168.211.0 255.255.255.0
    :access-list 104 deny ip 192.168.207.0 255.255.255.0 192.168.211.0 255.255.255.0

    Remember, it's evaluated from the top down, so put your deny before
    your permit.
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
    Walter Roberson, Oct 24, 2003
    #2
    1. Advertising

  3. Bill F

    Bill F Guest

    thanks

    Bill F.
    Bill F, Oct 24, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill F
    Replies:
    1
    Views:
    408
    Walter Roberson
    Nov 25, 2003
  2. Shad T
    Replies:
    0
    Views:
    543
    Shad T
    Jun 29, 2004
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,052
  4. xman
    Replies:
    4
    Views:
    4,664
    Walter Roberson
    May 16, 2005
  5. Vimokh
    Replies:
    3
    Views:
    5,561
    Vimokh
    Sep 6, 2006
Loading...

Share This Page