From: Paul Lalonde (plalonde2@cogeco.ca)
Date: Wed Sep 24 2003 - 10:53:26 GMT-3
Hi Phil,
When performing IPSEC VPN tunnels on PIX firewalls, you use access lists
that define the "interesting traffic." These access lists specifically
define what is allowed to pass through the VPN tunnel.
You can either make these access lists more restrictive, or as you said, you
can apply an outbound access list on the PIX's LAN interface to filter
unwanted IPSEC traffic before it hits the LAN.
Alternatively, you can also use an 'inbound' access list on the LAN
interface of the PIX to block return traffic... but it's not as intuitive as
the 'outbound' acl on the LAN interface.
Hope this helps,
Paul Lalonde
CCIE #11749
----- Original Message -----
From: <p.virnoche@verizon.net>
To: <ccielab@groupstudy.com>
Sent: Wednesday, September 24, 2003 9:31 AM
Subject: OT: Filtering PIX to PIX IPsec traffic
> Good morning-
> Sorry for the OT, but I have one that I am having trouble figuring out.
> I have a requirement that ALL traffic between my two sites be encrypted.
NO problem..... but how do I filter it once it gets to the terminating PIX?
When it comes in on the tunnel, it bypasses the inbound ACLS,..right? Or can
I have the PIX somehow filter on the existing inbound ACL?... Is my only
option to create an ACL and put it "outbound" on the inside interface?
>
> ANY info would be greatly appreciated!!!!
>
> Phil
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:35 GMT-3