Hi, I have recently finished presenting the 501on a roadshow in conjunction with Cisco. During my time I got asked a alot of tricky questions which I was able to field most of bar a couple. Both were related to the way the PIX works in with a VPN tunnel.
With a 10 user licence on a PIX 501 will the 5 allowed VPN peers take up 5 licences while the tunnels are up?
When a tunnel is up is it subject to the same ACL rules as normal traffic would be or does the VPN tunnel circumnavigate the ACL rule base?
The license question is a good one. I look forward to someone sharing that answer.
As far as the ACL question the VPN traffic appears to get pulled into the tunnel based on the MATCH ADDRESS in the Crypto statement before applying interface ACLs. Our 501's use default ACL configurations which allow no inbound sessions yet we can create sessions in and out through the tunnel. Good luck finding details like that written down somewhere.
You next question is probably how to apply an ACL to tunnel traffic? Just don't include it in the MATCH ADDRESS ACL. Then filter it like normal.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...