Site-to-Site VPN - ACL placement???

softwareadmin · ‎09-10-2008

I have a site-to-site VPN setup between two offices site A and site B. Can someone tell me where I would place my ACL's (on site A's PIX) to restrict traffic from the site B to specific hosts/ports at site A.

TIA

acomiskey · ‎09-10-2008

What version of pix?

If you disable sysopt connection permit-ipsec you can then write the access inbound to the outside interface of pix A. If you use that command, this will filter all ipsec traffic to pix A.

singhsaju · ‎09-10-2008

Hello,

You can bind access-list to the inside interface of PIX but remember this access-list would be inbound .

For example:

access-list 120 deny ip host 172.16.10.10 192.168.10.0 255.255.255.0

access-list 120 permit ip any any

access-group 120 in interface inside

HTH

Saju

Pls rate if it helps

softwareadmin · ‎09-10-2008

site A has a PIX running 6.3(5)

I already have an access-list associated with my inside interface. I was thinking I could put it there, but wasn't sure.

So I could say:

object-group network DB_Servers

network-object host 2.2.2.3

network-object host 2.2.2.4

object-group service DB_Server_Ports tcp-udp

port-object eq 1521

port-object eq 3306

access-list my_acl permit ip host 1.1.1.1 object-group DB_Servers DB_Server_Ports

**Is the permit statement correct using "ip"?

acomiskey · ‎09-10-2008

Your original post sounds like you were filtering traffic originating from site B destined to site A. If this is the case, filtering traffic into the inside interface of site A won't work. You would want to put an inside acl on site B.

singhsaju · ‎09-10-2008

I agree with Adam , try to put acl on site B instead of site A.

softwareadmin · ‎09-10-2008

In this particular case that will work fine as I have access to both ends of the tunnel.

However, if I had no access to the other end, like if it were a contractor. How would I protect myself from something coming into my network across the tunnel from their network?