site to site vpn management

Unanswered Question
Feb 26th, 2009
User Badges:

Hi all. My headquarters office is link to all other subsidiary office using site to site vpn. Currently i need to implement an accesslist on each of the pix/asa firewall of my subsidiary to limit what they can access on my headquarters. This accesslist is applied to the inside interface of my subsidiary firewalls. Hence i would like to know if it is possible to do the restriction of incoming traffic from site to site vpn on my headquarters asa5510 firewall instead of implementing the restriction on each of my subsidiary firewall. Thks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
adamclarkuk_2 Thu, 02/26/2009 - 05:16
User Badges:
  • Silver, 250 points or more

Hi Wenbin li

This should be no problem at all.

If you apply an ACL outbound on your inside interface of your HQ ASA, you will be able to restrict what the VPN's can or cannot access and then use generic ACL's for yor encryption domains for the IPSec setup.

but also bear in mind that this ACL will control access to ALL traffic entering the inside network so you will need entries for existing access.

donnie Thu, 02/26/2009 - 19:41
User Badges:

Hi adam,

Thk you for your advise. However my HQ is using pix515e instead of asa5510. It seems that for pix i cannot apply acl on outbound traffic on my inside interface. Any advise on how i can overcome this? Thks in advance.

donnie Thu, 02/26/2009 - 19:55
User Badges:

Hi adam,

My pix is using version 6.3. Do i need to upgrade to version 7 in order to apply acl on outbound traffic coming from my inside interface?

adamclarkuk_2 Fri, 02/27/2009 - 01:35
User Badges:
  • Silver, 250 points or more

Hi Wenbin

Yes you will, you only have the option of applying ACL's inbound on your current OS.


This Discussion