RE: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 08/25/04

  • Next message: ROUMEGOUX Pierre: "[fw-wiz] Netscreen compatibility"
    To: "John Galt" <jgalt163@comcast.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 25 Aug 2004 10:23:48 -0400
    
    

    As long as 'sysopt connection permit-ipsec' is NOT set on that PIX and
    that the outside interface is where the VPN tunnel terminates, then yes,
    that access-list would work.

    PaulM

    > -----Original Message-----
    > Assuming that the VPN successfully connects and there is full IP
    > connectivity between local host 192.168.10.1 and remote host
    > 192.168.20.2.
    >
    > If I then use the access-group command on the outside
    > interface and apply
    > an access list that includes:
    >
    > permit tcp host 192.168.2.20 host 192.168.1.10 eq telnet
    > deny ip host 192.168.2.20 host 192.168.1.10
    >
    > Would access be restricted to only telnet traffic from remote host
    > 192.168.2.20 to local host 192.168.1.10
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ROUMEGOUX Pierre: "[fw-wiz] Netscreen compatibility"

    Relevant Pages

    • Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
      ... interface ethernet0 100full ... access-list allow_inbound permit tcp any interface outside eq smtp ... pdm location 10.1.1.6 255.255.255.255 inside ... access-group allow_inbound in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: 2600 router + 2924 switch and vlans
      ... switchport trunk encapsulation isl ... interface FastEthernet0/0.2 ... match access-group 101 ... access-list 1 permit 10.0.0.0 0.0.0.255 ...
      (comp.dcom.sys.cisco)
    • Re: static routes on pix 506e
      ... interface ethernet0 auto ... fixup protocol dns maximum-length 1024 ... access-group outside_access_in in interface outside ... vpngroup dh2remote dns-server 194.72.6.57 10.35.104.106 ...
      (comp.dcom.sys.cisco)
    • [VERY LONG] Cisco 3620 and very low throghuput.
      ... Last clearing of "show interface" counters 00:20:57 ... input packets with dribble condition detected ... permit tcp 10.14.212.0 0.0.0.255 any eq telnet ...
      (comp.dcom.sys.cisco)
    • Re: Help with 876w config bridging wireless/lan
      ... the wireless interface in the same bridge-group and then configure the ... ip inspect name FIREWALL cuseeme ...
      (comp.dcom.sys.cisco)