RE: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX

• Previous message: Bruce Platt: "[fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker"
• Maybe in reply to: John Galt: "[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
• Next in thread: stephane nasdrovisky: "Re: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "John Galt" <jgalt163@comcast.net>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 25 Aug 2004 10:23:48 -0400

As long as 'sysopt connection permit-ipsec' is NOT set on that PIX and
that the outside interface is where the VPN tunnel terminates, then yes,
that access-list would work.

PaulM

> -----Original Message-----
> Assuming that the VPN successfully connects and there is full IP
> connectivity between local host 192.168.10.1 and remote host
> 192.168.20.2.
>
> If I then use the access-group command on the outside
> interface and apply
> an access list that includes:
>
> permit tcp host 192.168.2.20 host 192.168.1.10 eq telnet
> deny ip host 192.168.2.20 host 192.168.1.10
>
> Would access be restricted to only telnet traffic from remote host
> 192.168.2.20 to local host 192.168.1.10
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Bruce Platt: "[fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker"
• Maybe in reply to: John Galt: "[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
• Next in thread: stephane nasdrovisky: "Re: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]