RE: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 08/25/04

  • Next message: ROUMEGOUX Pierre: "[fw-wiz] Netscreen compatibility"
    To: "John Galt" <jgalt163@comcast.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 25 Aug 2004 10:23:48 -0400
    
    

    As long as 'sysopt connection permit-ipsec' is NOT set on that PIX and
    that the outside interface is where the VPN tunnel terminates, then yes,
    that access-list would work.

    PaulM

    > -----Original Message-----
    > Assuming that the VPN successfully connects and there is full IP
    > connectivity between local host 192.168.10.1 and remote host
    > 192.168.20.2.
    >
    > If I then use the access-group command on the outside
    > interface and apply
    > an access list that includes:
    >
    > permit tcp host 192.168.2.20 host 192.168.1.10 eq telnet
    > deny ip host 192.168.2.20 host 192.168.1.10
    >
    > Would access be restricted to only telnet traffic from remote host
    > 192.168.2.20 to local host 192.168.1.10
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ROUMEGOUX Pierre: "[fw-wiz] Netscreen compatibility"