- PIX VPN Firewall-Rules
- Posted by Michael Kiessling on December 18th, 2003
Hi,
I want to restrict the access from a vpn tunnel inside my LAN.
Where do I have to set the access-list?
On the outside interface, on the inside interface (I don't think
this works), or do I have set the rules at the access-list which
desrcibes the tunnel (encryption domain)?
I don't have the possibilitie to set up a test environment - so maybe
someone did this before.
Thanky ou,
Michael
- Posted by Martin Bilgrav on December 18th, 2003
depends on were your have sysopt connection permit-ipsec or just plain acl
for ipsec traffic.
regards
martin
"Michael Kiessling" <mkiessling@bit-it.de> wrote in message
news
an.2003.12.18.15.10.25.471767@bit-it.de...
- Posted by Rik Bain on December 18th, 2003
On Thu, 18 Dec 2003 09:10:25 -0600, Michael Kiessling wrote:
If you disable sysopt connection permit-ipsec, then the access-list
applied to the interface the tunnel terminated on will filter traffic
that arrives from the tunnel.
If you leave the sysopt in place, you can filter traffic on the internal
interface(s) to prevent traffic from entering the pix before it hits the
tunnel.
The second option is effective if you have control of both sides, as it
does not filter traffic from the other peer, but rather filters what you
send to them.
Rik Bain
- Posted by Michael Kiessling on December 19th, 2003
I think that's what I'm looking for. Thank you!
