From: Dave Swink \(dswink\) (dswink@cisco.com)
Date: Thu Sep 25 2003 - 12:07:58 GMT-3
Paul,
You can define interesting traffic for the IPSec tunnel by destination
and source IP addresses, but it will not use any port definitions in the
ACL. The only way I know to filter traffic by IP and port would be with
an ACL applied IN on the interface of the PIX where the traffic is
entering initially.
Dave Swink, CCIE #11678
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Todd Veillette
Sent: Wednesday, September 24, 2003 7:42 PM
To: Paul Lalonde; p.virnoche@verizon.net; ccielab@groupstudy.com
Subject: Re: Filtering PIX to PIX IPsec traffic
Actually acl's can only be applied in on a PIX.
-TV
----- Original Message -----
From: "Paul Lalonde" <plalonde2@cogeco.ca>
To: <p.virnoche@verizon.net>; <ccielab@groupstudy.com>
Sent: Wednesday, September 24, 2003 9:53 AM
Subject: Re: Filtering PIX to PIX IPsec traffic
> Hi Phil,
>
> When performing IPSEC VPN tunnels on PIX firewalls, you use access
> lists that define the "interesting traffic." These access lists
> specifically define what is allowed to pass through the VPN tunnel.
>
> You can either make these access lists more restrictive, or as you
> said,
you
> can apply an outbound access list on the PIX's LAN interface to filter
> unwanted IPSEC traffic before it hits the LAN.
>
> Alternatively, you can also use an 'inbound' access list on the LAN
> interface of the PIX to block return traffic... but it's not as
> intuitive
as
> the 'outbound' acl on the LAN interface.
>
> Hope this helps,
> Paul Lalonde
> CCIE #11749
>
> ----- Original Message -----
> From: <p.virnoche@verizon.net>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, September 24, 2003 9:31 AM
> Subject: OT: Filtering PIX to PIX IPsec traffic
>
>
> > Good morning-
> > Sorry for the OT, but I have one that I am having trouble figuring
> > out. I have a requirement that ALL traffic between my two sites be
> > encrypted.
> NO problem..... but how do I filter it once it gets to the terminating
PIX?
> When it comes in on the tunnel, it bypasses the inbound ACLS,..right?
> Or
can
> I have the PIX somehow filter on the existing inbound ACL?... Is my
> only option to create an ACL and put it "outbound" on the inside
> interface?
> >
> > ANY info would be greatly appreciated!!!!
> >
> > Phil
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> > ____________________________________________________________________
> > ___
> > Please help support GroupStudy by purchasing your study materials
from:
> > shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:37 GMT-3