Solved

PIX 525 that is doing NAT, ACL's and IPSec tunnels

Posted on 2004-10-07
4
658 Views
Last Modified: 2013-11-16
If the client is terminating IPSec tunnels on the  PIX.  Will traffic still need to meet ACL criteria to be passed to the
 trusted side of the PIX?  The reason that I am asking is because of the way they have their PIX configured.  This is not a
 question about setting up an IPSec tunnel as much as the flow of the traffic.  This tunnel is passing traffic.  So what I want to verify is after the tunnel has agreed upon parameters and before traffic begins to flow, will it need to pass through the access-list acl_out before going to the trusted side?  

0
Comment
Question by:mattnmilw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Expert Comment

by:rolltide_bama
ID: 12249216
Well i am not sure if i am reading this question right but when you permit ipsec peers or networks you add them to a seperate acl because you are normally trusting private Ip addresses. So unless your acl_out is tied to your crypto map statement then no it wouldnt go through that acl.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12249787
VPN tunnels appear to the PIX as if originating within itself, not from any interface.
It should be a separate subnet
The Sysopt connection permit-ipsec command bypasses ingress access-lists
The Nat-zero access-list pretty  much determines the data flow between the inside LAN and the VPN subnet
The split-tunnel access-list determines what traffic the client actually sends down the tunnel
If you have an outbound access-list applied to the inside interface, then that will affect traffic between the inside hosts and the VPN clients.

rolltide_bama - long time no see! What do you think of Bama's chances with Croyle out for the season?
0
 

Expert Comment

by:rolltide_bama
ID: 12250045
good explanation of those commands and what they do.

hey lrmoore, yeah no long time no see for sure. As for Alabama they will be lucky to win a few more games and i dread playing Auburn.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12250182
I'll never hear the end of it. Wife's a big Auburn fan....
"that's what you get for showing off" (52-0 in game where Croyle got hurt at the very end)
"shouldn't have had him on the field anyway, shoulda let the backup QB's get a few plays in"
on and on and on.....

Thanks for the points, Matt!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring Port Access on Cisco ASA 5 52
Server 2012 R2 Radius server and Cisco AP 7 69
How to disable sflow Cisco nexus 9k 3 52
Cisco Nexus 9372 port channel 3 45
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question