Am I correctly reading that you are terminating your IPSec tunnels on the
same interface where the access-list in question will be applied? Are you
running a router with the IOS firewall / IPSec feature set?
Look, the rule is one access-list per direction per protocol per interface.
Period. So no, you cannot have several IP access-lists applied in the same
direction on a single interface. Them's the rules.
That said, there is a separate access-list that defines traffic to be
encrypted and sent through the VPN tunnel. This may be what you have in mind
when you talk about several access-lists, each with a different function.
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Allen May
Sent: Thursday, May 03, 2001 8:52 AM
To: [EMAIL PROTECTED]
Subject: Re: ACL [7:2882]
I'm sure there are plenty of people who know more about ACLs than I do...I
just use 'em ;) But, correct me if I'm wrong, but doesn't it process every
line in ACLs for the interface it's passing through until it finds a match
for permit/deny? If you separate by ACL numbers you would have a few more
lines...depending on the configuration maybe ALOT more lines...but it would
be easier to manage and maintain in my opinion.
The thing I'll have to play with this weekend is trying to combine an ACL
for an outside interface that includes IPSec with TACACS+ authentication AND
have regular access to the web servers on port 80 without authentication.
If authenticated on IPSec you would have ports open for ftp. Now before we
get into the fact that when you're authenticated you are on an inside
interface & no longer bound by external interface, consider also having
IPSec router to router or PIX to PIX dedicated tunnels.
Seems sadistic that I thought this up but it's actually a project I'm
putting myself through...rofl.
Later
Allen
----- Original Message -----
From: "Donald B Johnson jr"
To: "Allen May" ;
Sent: Thursday, May 03, 2001 11:45 AM
Subject: Re: ACL [7:2882]
> wouldn't that be a resource hog
>
> ----- Original Message -----
> From: "Allen May"
> To:
> Sent: Wednesday, May 02, 2001 1:55 PM
> Subject: Re: ACL [7:2882]
>
>
> > 1 reason would be to separate acl's per internal IP address you're
> > permitting/denying access to. 101=specific IP allowing ftp and http,
> > 102=different IP allowing http only, etc. It would look cleaner
> anyway....
> >
> > ----- Original Message -----
> > From: "Donald B Johnson jr"
> > To:
> > Sent: Wednesday, May 02, 2001 3:19 PM
> > Subject: Re: ACL [7:2882]
> >
> >
> > > Why
> > > ----- Original Message -----
> > > From: "BASSOLE Rock"
> > > To:
> > > Sent: Wednesday, May 02, 2001 7:24 AM
> > > Subject: ACL [7:2882]
> > >
> > >
> > > > Hi,
> > > >
> > > > Can we apply more then one ACL per interface?..
> > > >
> > > >
> > > > Example:
> > > >
> > > > Interface Serial1
> > > > ip access-group 102 in
> > > > ip access-group 103 out
> > > > ip access-group 104 in
> > > > ip access-group 105 out
> > > >
> > > > Thank you.
> > > >
> > > > Rock BASSOLE
> > > > Til: +33 (0) 1 45 96 22 03
> > > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3103&t=2882
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
