IPSec access-list's and tunnel group policy.

Answered Question
Feb 8th, 2008

I have an IPSec Site to Site VPN tunnel that terminates on the outside interface of the firewall. My ftp server sits in a DMZ. The DMZ has an access-list applied to the interface. When I create the tunnel group for the Site to Site I create a tunnel group and group policy and manage the policy with filters. The filter looks like an access-list. Are both the filter and interface ACL working together? Does one override the other? How are these working together.

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 10 months ago

When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
acomiskey Thu, 02/14/2008 - 11:39

When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.

Actions

This Discussion