Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACLs for Traffic Within VPNs

I'm successfully running site-to-site and remote site VPNs on a PIX. Now, my desire is to apply ACLs to the traffic within the VPNs. How do I do it?

  • Other Security Subjects
1 REPLY
New Member

Re: ACLs for Traffic Within VPNs

Here's more information:

My goal is applying ACLs to traffic within VPNs coming in from the PIX outside interface.

Let's say a site-to-site VPN is established with remote peer 111.111.111.111 using the

remote network 10.10.10.0, and a local network 192.168.200.0 terminating on the PIX dmz

interface.

....

sysopt connection permit-ipsec

....

access-list 101 permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0

....

ip address dmz 192.168.200.1 255.255.255.0

....

nat (dmz) 0 access-list 102

....

crypto map site2site 10 match address 101

crypto map site2site 10 set peer 111.111.111.111

....

Now let's say, my goal is limiting traffic originating from the remote 10.10.10.0 network,

to telnet sessions on the local 192.168.250.0 dmz network, using the following

configuration commands:

....

access-list YES permit telnet 10.10.10.0 255.255.255.0 192.168.250.0 255.255.255.0

access-group YES in interface outside

....

Does this work?

If so, it seems then the PIX order of operations is decrypting the IPSec traffic coming in

from the PIX outside interface, and then applying the access-list to the decrypted

traffic.

Is this how it works? Where is this documented?

....John

178
Views
0
Helpful
1
Replies
This widget could not be displayed.