PIX VPN Firewall-Rules

Discussion in 'Cisco' started by Michael Kiessling, Dec 18, 2003.

  1. Hi,

    I want to restrict the access from a vpn tunnel inside my LAN.
    Where do I have to set the access-list?
    On the outside interface, on the inside interface (I don't think
    this works), or do I have set the rules at the access-list which
    desrcibes the tunnel (encryption domain)?

    I don't have the possibilitie to set up a test environment - so maybe
    someone did this before.

    Thanky ou,
    Michael
    Michael Kiessling, Dec 18, 2003
    #1
    1. Advertising

  2. depends on were your have sysopt connection permit-ipsec or just plain acl
    for ipsec traffic.

    regards
    martin

    "Michael Kiessling" <> wrote in message
    news:p...
    > Hi,
    >
    > I want to restrict the access from a vpn tunnel inside my LAN.
    > Where do I have to set the access-list?
    > On the outside interface, on the inside interface (I don't think
    > this works), or do I have set the rules at the access-list which
    > desrcibes the tunnel (encryption domain)?
    >
    > I don't have the possibilitie to set up a test environment - so maybe
    > someone did this before.
    >
    > Thanky ou,
    > Michael
    Martin Bilgrav, Dec 18, 2003
    #2
    1. Advertising

  3. Michael Kiessling

    Rik Bain Guest

    On Thu, 18 Dec 2003 09:10:25 -0600, Michael Kiessling wrote:

    > Hi,
    >
    > I want to restrict the access from a vpn tunnel inside my LAN. Where do
    > I have to set the access-list? On the outside interface, on the inside
    > interface (I don't think this works), or do I have set the rules at the
    > access-list which desrcibes the tunnel (encryption domain)?
    >
    > I don't have the possibilitie to set up a test environment - so maybe
    > someone did this before.
    >
    > Thanky ou,
    > Michael


    If you disable sysopt connection permit-ipsec, then the access-list
    applied to the interface the tunnel terminated on will filter traffic
    that arrives from the tunnel.

    If you leave the sysopt in place, you can filter traffic on the internal
    interface(s) to prevent traffic from entering the pix before it hits the
    tunnel.

    The second option is effective if you have control of both sides, as it
    does not filter traffic from the other peer, but rather filters what you
    send to them.

    Rik Bain
    Rik Bain, Dec 18, 2003
    #3
  4. > If you disable sysopt connection permit-ipsec, then the access-list
    > applied to the interface the tunnel terminated on will filter traffic
    > that arrives from the tunnel.


    I think that's what I'm looking for. Thank you!
    Michael Kiessling, Dec 19, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,803
    Martin Bilgrav
    Feb 6, 2004
  2. Diego B.

    Firewall rules to allow Cisco vpn

    Diego B., Dec 6, 2004, in forum: Cisco
    Replies:
    2
    Views:
    7,812
    mprasad079
    Dec 23, 2012
  3. Tim Mavers

    Pix firewall rules and IP address

    Tim Mavers, Jan 11, 2005, in forum: Cisco
    Replies:
    3
    Views:
    4,447
    Walter Roberson
    Jan 12, 2005
  4. KAS
    Replies:
    2
    Views:
    5,625
  5. James
    Replies:
    2
    Views:
    758
    Chad Mahoney
    Jan 9, 2007
Loading...

Share This Page