Until just recently, we've always had trusted VPN connections which allowed us to use the 'sysopt connection ipsec-permit' command. With an introduction of a 3rd party VPN, we now need to filter the VPN traffic.
I've attempted to use the 'vpn-filter value acl_name' under group-policies with the following sample config.
(all the crypto and isakmp config work, so it's not included)
access-list acl_name extended permit tcp internal_net remote_vpn_net eq ftp
access-list acl_name extended deny ip any any
group-policy untrusted_vpn attributed
vpn-filter value acl_name
Now I understand that I can apply access-lists or modify current access-lists to that can accomplish what 'acl_name' attempted above. I don't want to go around on our production PIX and start applying access-lists on interfaces attempting to figure out which interface to apply it on. I guess my question is, if a VPN tunnel is terminated on my outside interface, where do I apply the access-lists?
Examples always help me, so use 220.127.116.11/24 as my internal network and 10.1.2.0/24 as the remote VPN network. The only traffic I want to allow is accessing an FTP server (10.1.2.5) on the remote network. I don't want the remote network to have any access and only want FTP traffic from internal hosts.
I understand sftp would be a lot simpler, but there more to it than FTP.
Thanks in advance. Please let me know if I missed anything.