From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Sep 24 2003 - 15:08:26 GMT-3
Phil,
By default IPSec traffic is not let in. You're explicitly
letting it in with the 'sysopt connection permit-ipsec'. If you only
want to permit certain types of traffic, leave that statement off and
just configure a regular access-list in on the outside interface
permitting only what you want.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> p.virnoche@verizon.net
> Sent: Wednesday, September 24, 2003 8:32 AM
> To: ccielab@groupstudy.com
> Subject: OT: Filtering PIX to PIX IPsec traffic
>
> Good morning-
> Sorry for the OT, but I have one that I am having trouble figuring
out.
> I have a requirement that ALL traffic between my two sites be
encrypted.
> NO problem..... but how do I filter it once it gets to the terminating
> PIX? When it comes in on the tunnel, it bypasses the inbound
ACLS,..right?
> Or can I have the PIX somehow filter on the existing inbound ACL?...
Is my
> only option to create an ACL and put it "outbound" on the inside
> interface?
>
> ANY info would be greatly appreciated!!!!
>
> Phil
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:35 GMT-3