From: KDawg44 on
Hi,

I have a Pix501 running version 6.3. I need to configure it as a VPN
endpoint. The internet connection is a DSL modem with a dynamic IP
and I have the public IP passing through the DSL modem to the external
interface of the Pix. However, how do I construct my ACLs so that
established connections are allowed return traffic but the only other
traffic is VPN traffic? is there a "reflect packets" or "established"
keyword on the pix that will keep track of the state of outgoing
connections when setting up the ACL for my inside interface out?

Thanks for any help.

Kevin

From: KDawg44 on
On Aug 7, 3:29 pm, KDawg44 <kdaw...(a)gmail.com> wrote:
> Hi,
>
> I have a Pix501 running version 6.3.  I need to configure it as a VPN
> endpoint.  The internet connection is a DSL modem with a dynamic IP
> and I have the public IP passing through the DSL modem to the external
> interface of the Pix.  However, how do I construct my ACLs so that
> established connections are allowed return traffic but the only other
> traffic is VPN traffic?  is there a "reflect packets" or "established"
> keyword on the pix that will keep track of the state of outgoing
> connections when setting up the ACL for my inside interface out?
>
> Thanks for any help.
>
> Kevin

Okay, so it appears that the stateful-ness is inherent. So what I
need is on the outside_in acl is:

allow VPN stuff
deny any any

Thanks. I am very rusty since I haven't worked on these in five
years!