Firewall Wizards mailing list archives
Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"
From: Farrukh Haroon <farrukhharoon () gmail com>
Date: Thu, 14 May 2009 10:57:36 +0300
Hello Mike You can do this using the vpn-filter command, the following are GUI and CLI links: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml The second option you mention translted to the following CLI command sysopt connection permit-vpn http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381414 By default due to this command enable, all VPN Tunnels terminted ON the appliance itself are permitted and the interface ACL does not need to permit IKE,NAT-T (UDP 4500), ESP etc. If you disable it, then you need to specfically allow VPN traffic on the ACL. Regards Farrukh On Wed, May 13, 2009 at 2:31 PM, Michael Tewner <tewner () gmail com> wrote:
Hi all - I'm using a Cisco ASA 5500 series appliance with ASDM 6.1. As I understand it, by default, incoming packets from IPsec site-to-site VPN's are not checked by the standard interface ACL's - (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from a specific remote host to a local host/LAN? (2) I found that following checkbox in the "IPsec VPN Wizard" which might be a step in the right direction - "Enable inbound IPsec sessions to bypass interface access lists." (a) Is this the proper setting? (b) I assume that this will send the incoming traffic through the "outside" interface? right? (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will this apply to my other VPN's? (d) What Cisco ASA/PIX command does this translate to (e) Is there a screen in the ASDM where I can enable this after-the-fact? (3) Or, perhaps, I'm looking in completely the wrong place? Thank you!! -Mike _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Michael Tewner (May 13)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Farrukh Haroon (May 14)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Paul Melson (May 14)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Eric Gearhart (May 17)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Eric Gearhart (May 17)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Michael Tewner (May 24)