[VPN] Complete VPN access to all PIX interfaces
Scott Nursten
scottn at s2s.ltd.uk
Fri Apr 25 05:25:36 EDT 2003
Jorge,
This is easily solved. One solution is, on your other interfaces, do the
following:
access-list dmz3 deny ip z.z.z.z 255.255.255.0 y.y.y.y 255.255.255.0
access-list dmz3 permit ip any any
access-group dmz3 in interface dmz3
Another solution would be to match interesting traffic on your dynamic-map:
access-list DYNCRYPTO permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0
crypto dynamic-map dynmap 30 match address DYNCRYPTO
It is a good idea to have a separate acl for this as you may want to have
disparate nat 0 and crypto acl's.
Option one blocks traffic going to y.y.y.y _before_ it enters this pix - ie.
As it hits the interface. Option two blocks traffic _before_ it enters the
tunnel, ie _after_ it's "entered" the firewall ASA.
Hope this helps.
--
Scott Nursten
-------------------
S2S Consultants
http://s2s.ltd.uk
scottn at s2s.ltd.uk
Tel: 0870 350 4525
Fax: 0870 350 4526
-------------------
More information about the VPN
mailing list