Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can "normal" access-list be added to a PIX w/ existing IPSEC access-list?

I have a 501 Pix configured to perform "PIX to Concentrator Tunnel". I have configured the appropriate access-lists and bound them to the appropriate crypto-maps using the "match" command. I have basically used "ip" and not tcp or udp to determing access in my access-list statements. Can i configure separate lists to permit or deny using tcp and udp, then binding to inside interface? eg access-list acl_in permit tcp host 1.1.1.1 2.2.2.2 eq 21.

3 REPLIES
Cisco Employee

Re: Can "normal" access-list be added to a PIX w/ existing IPSEC

You mean having an ACL on the inside int stopping traffic from goung out. Sure, you can do that. This is actually an effective way to stop certain traffic from going over the tunnel, as we don't recommend using TCP/UDP ports numbers in crypto access-lists (too easy to get them mixed up when doing the opposite at the other end).

Stopping the traffic from even coming in on the inside interface is the best way to do this, while allowing all traffic that can come in on the inside interface over the crypto tunnel.

New Member

Re: Can "normal" access-list be added to a PIX w/ existing IPSEC

Yes, this is exactly what i mean. One thing though - should the access-list be constructed with the normal "access-list 101 permit/deny tcp/udp x.x.x.x x.x.x.x eq xx" or should i be permitting/denying isakmp/ipsec? I applied experimented with this by applying a permit for some hosts then a deny for a particular host then a "deny ip any any" last in the list, and still seemed to be able to "ping" with the host i was denying access to??? Hmmmm? cleared the "xlate's" and "arp table". It's a wonder why i could not even find one single article on this??

Thanks for any imput.

-p

New Member

Re: Can "normal" access-list be added to a PIX w/ existing IPSEC

Thank You for your assistance - everything is working with the acl's on the inside interface now.

-p

80
Views
0
Helpful
3
Replies
CreatePlease login to create content