Firewall Wizards mailing list archives

Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"

From: Michael Tewner <tewner () gmail com>
Date: Wed, 13 May 2009 14:31:59 +0300

Hi all -

I'm using a Cisco ASA 5500 series appliance with ASDM 6.1.

As I understand it, by default, incoming packets from IPsec site-to-site
VPN's are not checked by the standard interface ACL's -

(1) Where _can_ I limit incoming traffic from a specific VPN - i.e. SSH from
a specific remote host to a local host/LAN?

(2) I found that following checkbox in the "IPsec VPN Wizard" which might be
a step in the right direction - "Enable inbound IPsec sessions to bypass
interface access lists."
     (a) Is this the proper setting?
     (b) I assume that this will send the incoming traffic through the
"outside" interface? right?
     (c) Does this checkbox apply to ALL IPsec sessions on all VPN's? Will
this apply to my other VPN's?
     (d) What Cisco ASA/PIX command does this translate to
     (e) Is there a screen in the ASDM where I can enable this
after-the-fact?

(3) Or, perhaps, I'm looking in completely the wrong place?

Thank you!!
-Mike

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Michael Tewner (May 13)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Farrukh Haroon (May 14)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Paul Melson (May 14)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Eric Gearhart (May 17)
- Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Eric Gearhart (May 17)
  - Re: Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists" Michael Tewner (May 24)