cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
586
Views
0
Helpful
4
Replies

IPSec access-list's and tunnel group policy.

jkochman
Level 1
Level 1

I have an IPSec Site to Site VPN tunnel that terminates on the outside interface of the firewall. My ftp server sits in a DMZ. The DMZ has an access-list applied to the interface. When I create the tunnel group for the Site to Site I create a tunnel group and group policy and manage the policy with filters. The filter looks like an access-list. Are both the filter and interface ACL working together? Does one override the other? How are these working together.

1 Accepted Solution

Accepted Solutions

acomiskey
Level 10
Level 10

When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.

View solution in original post

4 Replies 4

bwilmoth
Level 5
Level 5

Thanks

Thanks

acomiskey
Level 10
Level 10

When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: