Firewall Wizards mailing list archives

Decrypted VPN traffic and access lists on outside interface of PIX

From: John Galt <jgalt163 () comcast net>
Date: Mon, 23 Aug 2004 09:13:58 -0400

Hello All,

Can someone please clear something up for me.

Is decrypted traffic from a site-to-site VPN sent back through an accesslist that is applied to the outside interface of a PIX?


For example:

If a crypto map match entry uses an access list that includes:

permit ip 192.168.10.1 255.255.255.255 192.168.20.2 255.255.255.255

Assuming that the VPN successfully connects and there is full IPconnectivity between local host 192.168.10.1 and remote host 192.168.20.2.

If I then use the access-group command on the outside interface and applyan access list that includes:


permit tcp host 192.168.2.20  host 192.168.1.10  eq telnet
deny ip host 192.168.2.20 host 192.168.1.10

Would access be restricted to only telnet traffic from remote host192.168.2.20 to local host 192.168.1.10


Thanks.

John


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Decrypted VPN traffic and access lists on outside interface of PIX John Galt (Aug 25)
- Re: Decrypted VPN traffic and access lists on outside interface of PIX Patrick M. Hausen (Aug 26)
- Re: Decrypted VPN traffic and access lists on outside interface of PIX stephane nasdrovisky (Aug 26)
- <Possible follow-ups>
- RE: Decrypted VPN traffic and access lists on outside interface of PIX Melson, Paul (Aug 26)