Restricted access for a site-to-site VPN

Unanswered Question
May 21st, 2007
User Badges:

Hi. I'm after some advice. Is there any way to restrict the remote end of a site-to-site VPN connection to certain devices on our network? We use a Pix 515E (v7 s/w). I know how to do it for remote users connecting via Cisco client s/w but not for existing site VPNs. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
acomiskey Mon, 05/21/2007 - 05:23
User Badges:
  • Green, 3000 points or more

How are you doing it for remote access vpn's? You've got several options and they are the same as the ones for your remote access vpns.

For the lan to lan tunnels you could remove sysopt conn permit-ipsec and use interface acls to filter the traffic (will affect all ipsec traffic). You could also be very specific with your interesting traffic and nat exemption acl's to define traffic only to those devices which you wanted remote access.

Rex Biesty Mon, 05/21/2007 - 07:39
User Badges:

Hi and thanks for the reply. Existing restrictions on incoming client VPN connections are achieved by creating a new VPN group, restricting that group to one IP address when they connect then limiting what that IP address can access


vpngroup external_support address-pool pool2

vpngroup external_support dns-server

vpngroup external_support wins-server

vpngroup external_support default-domain

vpngroup external_support idle-time 1800

vpngroup external_support password

ip local pool pool2 10.x.x.1-10.x.x.1 mask

nat (inside) 0 access-list nonat

access-list nonat permit ip host host 10.x.x.1

access-list nonat permit ip host host 10.x.x.1)

Currently we have a number of people and companies who connect via client and site VPNs so I'm after a solution which will not affect existing connectivity. Can a similar solution to the one I already use be implemented for site vpns. Thanks.

acomiskey Mon, 05/21/2007 - 07:57
User Badges:
  • Green, 3000 points or more

Sure, you can do something like this with interesting traffic...

access-list outside_cryptomap_20 extended permit ip host

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.1

access-list outside_cryptomap_40 extended permit ip host

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer x.x.x.2

Another option is to implement a vpn-filter and apply it to specific tunnel group policies. This document is for remote access vpn's but it works for lan to lan group policies as well.

Rex Biesty Mon, 05/21/2007 - 08:03
User Badges:

Thanks for the reply. I'll try it out over the next few weeks and let you know if I get stuck


This Discussion