Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

L2L between IOS and ASA

I have L2L connection between ASA and Cisco router.

I would like to protect traffic and give full access from PIX LAN to some hosts on the cisco router sites but not inversely.

How to protect the LAN network on PIX site ?

I couldn't find anything on pix site like tcp established in ACL ?

On a cisco routers there I can easily configure some access-list in ipsec-isakmp profile ( set ip access-group in| out )

thanks in advance for any help

Cisco Employee

Re: L2L between IOS and ASA

Check out the "vpn-filter" command, available in the group-policy.

New Member

Re: L2L between IOS and ASA

ok I know about it but where may I controle tcp flags ?

Cisco Employee

Re: L2L between IOS and ASA

You cannot control TCP flags - but why would you want to do that in the first place? Note that Pix/ASA is a stateful firewall, not a packet filter.

Re-reading your initial question, I think what you want to achieve can be done using "no sysopt connection permit-vpn" and then permitting/denying traffic in the ACL on the outside interface.

Note however that the outside ACL will apply to all inbound connections over *all* VPN tunnels.

CreatePlease to create content