01-14-2008 09:30 AM - edited 03-11-2019 04:47 AM
Just wanting to check my work for setting up a site-to-site but only want to give access to a specific host. Is correct?
# Access list to specific host.
acces-list inside_outbout_nat0 permit ip 10.0.0.9 255.255.255.255 10.254.0.0 255.255.255.0
# remote side of Site-to-site Tunnel
pdm location 1.2.3.4 255.255.255.255 outside
# VPN specific stuff.
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 1.2.3.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
# VPN authentication
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
01-14-2008 10:30 AM
Your Phase2 configuration seems straght forward, you may want to add couple of statements for your l2l as will be needed otherwise it will not work. where is your Phase1 configuration? what pertains to isakmp policy.
This is part of Ipsec Phase2
crypto isakmp enable outside(Enables outside interface as your l2l vpn tunnel point )
crypto map outside_map interface outside( defines your crypto map to be bound to outside interface)
Also make sure the other end of tunnel agrees on these settings, and that oposite side have access-list the other way around.
e.g
Other side of tunnel similarly access list
acces-list inside_outbout_nat0 permit ip 10.254.0.0 255.255.255.255 10.0.0.9 255.255.255.0
Rgds
Jorge
01-14-2008 10:41 AM
Jorge,
I left out the rest of my config I do currently have an existing site to site already setup. I thought I was correct, but just wanted to double check. Sometimes a second set of eyes are always good.
Thanks
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: