We put another device in front of our ASA's for this type of control. The ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels, I don't believe. It's the outside interface you are trying to protect, and not traffic through the device, which makes sense why the ACL's aren't working. Kind of like SSH and ASDM access on the outside interface.
Hope that helps.
Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from iJay
On Mar 8, 2012, at 9:49 AM, Christopher Copley <copley.chris_at_gmail.com> wrote:
> I have an ASA and I only want specific IP's to be able to access my ASA to
> form an IPSEC peer. I created a rule for the outside interface to only
> allow specific peers to be accepted via isakmp, and ESP, but the rule
> never gets any hits. Is the ASA like the routers and the ACL's do not
> apply to the ASA interfaces itself? Is it possible to filter out what
> IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long story
> short I am being asked to do this b/c of aggressive mode for my VPN's.
>
> Thoughts?
>
>
> --
> Christopher D. Copley
> copley.chris_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 08 2012 - 16:33:03 ART
This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART