Site-to-Site VPN - ACL placement???

Unanswered Question
acomiskey Wed, 09/10/2008 - 08:06

What version of pix?

If you disable sysopt connection permit-ipsec you can then write the access inbound to the outside interface of pix A. If you use that command, this will filter all ipsec traffic to pix A.

singhsaju Wed, 09/10/2008 - 08:07


You can bind access-list to the inside interface of PIX but remember this access-list would be inbound .

For example:

access-list 120 deny ip host

access-list 120 permit ip any any

access-group 120 in interface inside



Pls rate if it helps

site A has a PIX running 6.3(5)

I already have an access-list associated with my inside interface. I was thinking I could put it there, but wasn't sure.

So I could say:

object-group network DB_Servers

network-object host

network-object host

object-group service DB_Server_Ports tcp-udp

port-object eq 1521

port-object eq 3306

access-list my_acl permit ip host object-group DB_Servers DB_Server_Ports

**Is the permit statement correct using "ip"?

acomiskey Wed, 09/10/2008 - 10:45

Your original post sounds like you were filtering traffic originating from site B destined to site A. If this is the case, filtering traffic into the inside interface of site A won't work. You would want to put an inside acl on site B.

singhsaju Wed, 09/10/2008 - 10:54

I agree with Adam , try to put acl on site B instead of site A.


This Discussion