Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
13
Helpful
4
Replies

Restricted access for a site-to-site VPN

Rex Biesty
Level 1
Level 1

‎05-21-2007 05:14 AM - edited ‎03-11-2019 03:17 AM

Hi. I'm after some advice. Is there any way to restrict the remote end of a site-to-site VPN connection to certain devices on our network? We use a Pix 515E (v7 s/w). I know how to do it for remote users connecting via Cisco client s/w but not for existing site VPNs. Thanks.

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎05-21-2007 05:23 AM

How are you doing it for remote access vpn's? You've got several options and they are the same as the ones for your remote access vpns.

For the lan to lan tunnels you could remove sysopt conn permit-ipsec and use interface acls to filter the traffic (will affect all ipsec traffic). You could also be very specific with your interesting traffic and nat exemption acl's to define traffic only to those devices which you wanted remote access.

Rex Biesty
Level 1
Level 1
In response to acomiskey

‎05-21-2007 07:39 AM

Hi and thanks for the reply. Existing restrictions on incoming client VPN connections are achieved by creating a new VPN group, restricting that group to one IP address when they connect then limiting what that IP address can access

(e.g.

vpngroup external_support address-pool pool2

vpngroup external_support dns-server

vpngroup external_support wins-server

vpngroup external_support default-domain

vpngroup external_support idle-time 1800

vpngroup external_support password

ip local pool pool2 10.x.x.1-10.x.x.1 mask 255.255.255.255

nat (inside) 0 access-list nonat

access-list nonat permit ip host host 10.x.x.1

access-list nonat permit ip host host 10.x.x.1)

Currently we have a number of people and companies who connect via client and site VPNs so I'm after a solution which will not affect existing connectivity. Can a similar solution to the one I already use be implemented for site vpns. Thanks.

0 Helpful

acomiskey
Level 10
Level 10
In response to Rex Biesty

‎05-21-2007 07:57 AM

Sure, you can do something like this with interesting traffic...

access-list outside_cryptomap_20 extended permit ip host

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.1

access-list outside_cryptomap_40 extended permit ip host

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer x.x.x.2

Another option is to implement a vpn-filter and apply it to specific tunnel group policies. This document is for remote access vpn's but it works for lan to lan group policies as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Rex Biesty
Level 1
Level 1
In response to acomiskey

‎05-21-2007 08:03 AM

Thanks for the reply. I'll try it out over the next few weeks and let you know if I get stuck

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card