Hi, not sure how this works, but I have a site-to-site VPN coming into my ASA. The remote office router is a DSL 877 router. And the SA for the IPsec is 172.19.15.0 to any at the HQ where the ASA is.
It has to be any as the internet goes through the tunnel to be monitored by websense/surfcontrol web filter. Anyway I need to use the ASA to block traffic for this VPN (172.19.15.0) network so it can't go to all servers on the HQ's network. Normally I could just configure the SA for the tunnel to include only the subnets/servers that are needed but having the internet pass over means I have to use "any", am I right?
I have tried adding some deny rules to stop the traffic but the rules don't work, so I was wondering if the deny rules should be applied to the to the inside interface or outside interface?