Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA of PIX

The PIX ascertains the trustworthyness of the traffic, based on the interface it is coming from, defined by the security value.

When I have LAN-to-LAN or RA VPNs terminated on the PIX, how is the traffic from VPN peers measured ? It is the lowest security value or highest security value or security value of the interface the crypto map is applied to ?

In other words, how do I configure NAT and access-lists for traffic from a VPN peer to one of my interfaces on the PIX ?

1 REPLY
New Member

Re: ASA of PIX

When you are building up PIX to PIX LAN to LAN tunnel, it will be like from one inside network to another side inside network. So it will be the lowest security value.

nat (inside) 0 access-list will bypass the NAT for VPN traffic.

"Sysopt connection permit-ipsec" will open IPSEC in the PIX and also bypass the access-group applied in the same interface which crypto map applied.

If want to control the traffic for the VPN lan to lan tunnel.

You can modify the match-address access-list to service level.

For example, only permit tcp host x.x.x.x eq 80 host y.y.y.y instead of normally we do " permit ip host x.x.x.x host y.y.y.y"

82
Views
0
Helpful
1
Replies
CreatePlease to create content