Site-to-Site VPN (where to apply the acl)

[martinp05]

Hello!

I am not sure so i need some help.

when i want to control the traffic going through the vpn (site-to-site between two pixes, for example between the two lans behind the inside-interfaces), i can do an acl on the both inside interfaces, right?

it is clear, that i can check outbound traffic on the inside interface with an acl. but when i want to block some traffic coming from the other network through the vpn, can i do this with the same acl applied on the inside-interface?

so i will block inbound traffic (coming through the vpn ) on the inside interface.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[Morrack]

I'm new at this so this might be a silly idea, but why not simply modify the ACL you are using for the match address in your crypto map? Ie. add a deny statement to block the unwanted traffic.

That's what I would try given this task.



Peter Sherwood

Morrack Consulting

http://www.morrack.com

 

[Antelope]

It is implicitly blocked if not listed in the ACL.

 

[martinp05]

hello,

in the crypto map i only permit/deny traffic in the point of view from my side (i hope you understand what i mean).

so the src is always my network or hosts of my network.

when i want to enable traffic originated from my side it works fine. but it does not work when i want to deny traffic originated from the other side.

the crypto map reflects only the point of view of my side and of my network.

yesterday i got time to test it:
when the packets comes through the vpn (over the outside interface) and wants to get in the lan behind the inside-interface i can use the acl for the inside interface. there i can deny traffic coming through the vpn from the other network. this works fine.

thanks to all.
martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator