Hi all. My headquarters office is link to all other subsidiary office using site to site vpn. Currently i need to implement an accesslist on each of the pix/asa firewall of my subsidiary to limit what they can access on my headquarters. This accesslist is applied to the inside interface of my subsidiary firewalls. Hence i would like to know if it is possible to do the restriction of incoming traffic from site to site vpn on my headquarters asa5510 firewall instead of implementing the restriction on each of my subsidiary firewall. Thks in advance.
If you apply an ACL outbound on your inside interface of your HQ ASA, you will be able to restrict what the VPN's can or cannot access and then use generic ACL's for yor encryption domains for the IPSec setup.
but also bear in mind that this ACL will control access to ALL traffic entering the inside network so you will need entries for existing access.
Thk you for your advise. However my HQ is using pix515e instead of asa5510. It seems that for pix i cannot apply acl on outbound traffic on my inside interface. Any advise on how i can overcome this? Thks in advance.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...