vpn tunnel and and access lists

Unanswered Question
Feb 14th, 2008

hi all

I am in progress of creating a site to site tunnel between 2 sites, we need to access e-mail, internet and rdp from site A on site B, and we need to access rdp, telnet and mail from site B to site A, can anyone tell me what i need to do to create the tunnel, do I just allow source to destination networks, and then use an access list to prohibit the ports, or do I do this in the tunnel setup itself

does the tunnel encrypted networks need to be exactly the same both ends ?

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 02/14/2008 - 09:04

Yes, the interesting traffic should be mirrors of each other on either end. For instance...

Site A

access-list crypto extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B

access-list crypto extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

There are 2 options for restricting the vpn traffic.

1. remove "sysopt connection permit-ipsec/vpn". This will force all ipsec traffic to be filtered in your regular interface access lists. So to allow traffic from site B to site A...

Site A

no sysopt connection permit-vpn

access-list outside_access_in extended permit tcp eq 3389

access-list outside_access_in extended permit tcp eq 21

access-list outside_access_in extended permit tcp eq 25

access-group outside_access_in in interface outside

Site B

no sysopt connection permit-vpn

access-list outside_access_in extended permit tcp eq 25

access-list outside_access_in extended permit tcp eq http

access-list outside_access_in extended permit tcp eq 3389

access-group outside_access_in in interface outside

2. Use the vpn-filter attribute in the tunnel group policy to restrict the traffic.

This example is for remote access vpn but also works for l2l.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Actions

This Discussion