02-08-2008 10:36 AM - edited 02-21-2020 03:32 PM
I have an IPSec Site to Site VPN tunnel that terminates on the outside interface of the firewall. My ftp server sits in a DMZ. The DMZ has an access-list applied to the interface. When I create the tunnel group for the Site to Site I create a tunnel group and group policy and manage the policy with filters. The filter looks like an access-list. Are both the filter and interface ACL working together? Does one override the other? How are these working together.
Solved! Go to Solution.
02-14-2008 11:39 AM
When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.
02-14-2008 11:33 AM
This document has configuration information regarding IPsec.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
02-21-2008 03:32 PM
Thanks
02-21-2008 03:32 PM
Thanks
02-14-2008 11:39 AM
When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: