But how do you protect the ASA that's protecting your ASA? :>)
On Thu, Mar 8, 2012 at 4:33 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
> We put another device in front of our ASA's for this type of control. The
> ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels, I
> don't believe. It's the outside interface you are trying to protect, and
> not traffic through the device, which makes sense why the ACL's aren't
> working. Kind of like SSH and ASDM access on the outside interface.
>
> Hope that helps.
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from iJay
>
> On Mar 8, 2012, at 9:49 AM, Christopher Copley <copley.chris_at_gmail.com>
> wrote:
>
> > I have an ASA and I only want specific IP's to be able to access my ASA
> to
> > form an IPSEC peer. I created a rule for the outside interface to only
> > allow specific peers to be accepted via isakmp, and ESP, but the rule
> > never gets any hits. Is the ASA like the routers and the ACL's do not
> > apply to the ASA interfaces itself? Is it possible to filter out what
> > IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long
> story
> > short I am being asked to do this b/c of aggressive mode for my VPN's.
> >
> > Thoughts?
> >
> >
> > --
> > Christopher D. Copley
> > copley.chris_at_gmail.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 08 2012 - 16:41:12 ART
This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART