Filtering Tunnels

chrish · ‎05-17-2007

I have an ASA 5520 7.2 (I bleieve)

I am allowing an Ipsec tunnel thru this firewall, but the ASA itself is not an endpoint for this tunnel. Is it possible to filter the traffic that goes thru the tunnel and if so how?

All I really want to do is limit the devices allowed to use this tunnel ie allow IP 1 to IP 2 and drop everything else.

Thanks in advance.

acomiskey · ‎05-17-2007

Could you explain, is the vpn client inside or outside the firewall? What is the endpoint? As long as you don't want to filter traffic once the tunnel is established you should be able write a simple access-list to restrict which ip addresses are able to vpn. Also, is this remote access or lan to lan?

chrish · ‎05-17-2007

This is a lan to lan static tunnel.

Filtering traffic that is traveling thru the established tunnel is what I am trying to accomplish.

The endpoints are 2 devices by a company called SonicWall. The tunnel simply passes thru my firewall and I don't have access to the other devices to insure the security I desire.

Richard Burts · ‎05-18-2007

Chris

If an encrypted VPN site to site tunnel is passing through your firewall I do not know of any way that you can examine or filter that traffic. Part of the purpose of IPSec VPN is that no intermediate device along the VPN path can see the data being transported.

HTH

Rick

HTH

Rick