site to site vpn management

donnie · ‎02-26-2009

Hi all. My headquarters office is link to all other subsidiary office using site to site vpn. Currently i need to implement an accesslist on each of the pix/asa firewall of my subsidiary to limit what they can access on my headquarters. This accesslist is applied to the inside interface of my subsidiary firewalls. Hence i would like to know if it is possible to do the restriction of incoming traffic from site to site vpn on my headquarters asa5510 firewall instead of implementing the restriction on each of my subsidiary firewall. Thks in advance.

adamclarkuk_2 · ‎02-26-2009

Hi Wenbin li

This should be no problem at all.

If you apply an ACL outbound on your inside interface of your HQ ASA, you will be able to restrict what the VPN's can or cannot access and then use generic ACL's for yor encryption domains for the IPSec setup.

but also bear in mind that this ACL will control access to ALL traffic entering the inside network so you will need entries for existing access.

donnie · ‎02-26-2009

Hi adam,

Thk you for your advise. However my HQ is using pix515e instead of asa5510. It seems that for pix i cannot apply acl on outbound traffic on my inside interface. Any advise on how i can overcome this? Thks in advance.

donnie · ‎02-26-2009

Hi adam,

My pix is using version 6.3. Do i need to upgrade to version 7 in order to apply acl on outbound traffic coming from my inside interface?

adamclarkuk_2 · ‎02-27-2009

Hi Wenbin

Yes you will, you only have the option of applying ACL's inbound on your current OS.