Can "normal" access-list be added to a PIX w/ existing IPSEC access-list?

ppierre · ‎11-10-2003

I have a 501 Pix configured to perform "PIX to Concentrator Tunnel". I have configured the appropriate access-lists and bound them to the appropriate crypto-maps using the "match" command. I have basically used "ip" and not tcp or udp to determing access in my access-list statements. Can i configure separate lists to permit or deny using tcp and udp, then binding to inside interface? eg access-list acl_in permit tcp host 1.1.1.1 2.2.2.2 eq 21.

gfullage · ‎11-10-2003

You mean having an ACL on the inside int stopping traffic from goung out. Sure, you can do that. This is actually an effective way to stop certain traffic from going over the tunnel, as we don't recommend using TCP/UDP ports numbers in crypto access-lists (too easy to get them mixed up when doing the opposite at the other end).

Stopping the traffic from even coming in on the inside interface is the best way to do this, while allowing all traffic that can come in on the inside interface over the crypto tunnel.

ppierre · ‎11-10-2003

Yes, this is exactly what i mean. One thing though - should the access-list be constructed with the normal "access-list 101 permit/deny tcp/udp x.x.x.x x.x.x.x eq xx" or should i be permitting/denying isakmp/ipsec? I applied experimented with this by applying a permit for some hosts then a deny for a particular host then a "deny ip any any" last in the list, and still seemed to be able to "ping" with the host i was denying access to??? Hmmmm? cleared the "xlate's" and "arp table". It's a wonder why i could not even find one single article on this??

Thanks for any imput.

-p

ppierre · ‎11-11-2003

Thank You for your assistance - everything is working with the acl's on the inside interface now.

-p