Firewall Wizards mailing list archives
Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"
From: Michael Tewner <tewner () gmail com>
Date: Wed, 13 May 2009 14:31:59 +0300
Hi all - I'm using a Cisco ASA 5500 series appliance with ASDM 6.1. As I understand it, by default, incoming packets from IPsec site-to-site VPN's are not checked by the standard interface ACL's - (1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from a specific remote host to a local host/LAN? (2) I found that following checkbox in the "IPsec VPN Wizard" which might be a step in the right direction - "Enable inbound IPsec sessions to bypass interface access lists." (a) Is this the proper setting? (b) I assume that this will send the incoming traffic through the "outside" interface? right? (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will this apply to my other VPN's? (d) What Cisco ASA/PIX command does this translate to (e) Is there a screen in the ASDM where I can enable this after-the-fact? (3) Or, perhaps, I'm looking in completely the wrong place? Thank you!! -Mike
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Michael Tewner (May 13)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Farrukh Haroon (May 14)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Paul Melson (May 14)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Eric Gearhart (May 17)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Eric Gearhart (May 17)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Michael Tewner (May 24)