Hello, Got one that Cisco can't help me with, at least not so far. I've got a tunnel to a business partner but I don't want to use sysopt connection permit-ipsec because its function, according to Cisco doc, is to "...implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated conduit or access-group command for IPSec connections." BTW, I'm using 5.1(2) on a 515. In other words (and I'm happy to be mistaken), I want more granularity than just saying that any traffic from this tunneled host is O.K.: access-list 101 permit ip host blahhost netmask 2ndblahhost netmask Before we get to the commands involved, because many of you may know that already, I'd like to understand how the PIX handles this situation. Specifically, when I'm normally (i.e., non-IPsec) trying to filter incoming traffic from the Internet, I apply access-lists to the external interface. In an IPsec setup, the tunnel terminates on the external interface. My ultimate questions are 1) can I apply more granularity to incoming IPsec traffic, such as port restrictions (no inbound FTP allowed, etc.) and 2) to which interface is this logic applied, the external interface where the tunnel terminates or the next interface in, whether it be a DMZ or internal interface? Conceptually, I'd rather drop traffic as far out as possible, meaning the external interface, in this case. We're getting several answers from Cisco, some of which seem to be mutually exclusive. Thanks and feel free to ask further questions. Brent Stackhouse Security Analyst 2ndWave, Inc. Austin, Texas 512-439-5005 [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
