Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec access-list's and tunnel group policy.

I have an IPSec Site to Site VPN tunnel that terminates on the outside interface of the firewall. My ftp server sits in a DMZ. The DMZ has an access-list applied to the interface. When I create the tunnel group for the Site to Site I create a tunnel group and group policy and manage the policy with filters. The filter looks like an access-list. Are both the filter and interface ACL working together? Does one override the other? How are these working together.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: IPSec access-list's and tunnel group policy.

When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.

4 REPLIES
Bronze

Re: IPSec access-list's and tunnel group policy.

New Member

Re: IPSec access-list's and tunnel group policy.

Thanks

New Member

Re: IPSec access-list's and tunnel group policy.

Thanks

Green

Re: IPSec access-list's and tunnel group policy.

When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.

150
Views
0
Helpful
4
Replies