Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACLs for Traffic Within VPNs

I'm successfully running site-to-site and remote site VPNs on a PIX. Now, my desire is to apply ACLs to the traffic within the VPNs. How do I do it?

  • Other Security Subjects
New Member

Re: ACLs for Traffic Within VPNs

Here's more information:

My goal is applying ACLs to traffic within VPNs coming in from the PIX outside interface.

Let's say a site-to-site VPN is established with remote peer using the

remote network, and a local network terminating on the PIX dmz



sysopt connection permit-ipsec


access-list 101 permit ip

access-list 102 permit ip


ip address dmz


nat (dmz) 0 access-list 102


crypto map site2site 10 match address 101

crypto map site2site 10 set peer


Now let's say, my goal is limiting traffic originating from the remote network,

to telnet sessions on the local dmz network, using the following

configuration commands:


access-list YES permit telnet

access-group YES in interface outside


Does this work?

If so, it seems then the PIX order of operations is decrypting the IPSec traffic coming in

from the PIX outside interface, and then applying the access-list to the decrypted


Is this how it works? Where is this documented?


This widget could not be displayed.