vpn tunnel and and access lists

Unanswered Question
Feb 14th, 2008
User Badges:

hi all


I am in progress of creating a site to site tunnel between 2 sites, we need to access e-mail, internet and rdp from site A on site B, and we need to access rdp, telnet and mail from site B to site A, can anyone tell me what i need to do to create the tunnel, do I just allow source to destination networks, and then use an access list to prohibit the ports, or do I do this in the tunnel setup itself


does the tunnel encrypted networks need to be exactly the same both ends ?

thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 02/14/2008 - 09:04
User Badges:
  • Green, 3000 points or more

Yes, the interesting traffic should be mirrors of each other on either end. For instance...


Site A

access-list crypto extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Site B

access-list crypto extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


There are 2 options for restricting the vpn traffic.


1. remove "sysopt connection permit-ipsec/vpn". This will force all ipsec traffic to be filtered in your regular interface access lists. So to allow traffic from site B to site A...


Site A

no sysopt connection permit-vpn

access-list outside_access_in extended permit tcp eq 3389

access-list outside_access_in extended permit tcp eq 21

access-list outside_access_in extended permit tcp eq 25

access-group outside_access_in in interface outside


Site B

no sysopt connection permit-vpn

access-list outside_access_in extended permit tcp eq 25

access-list outside_access_in extended permit tcp eq http

access-list outside_access_in extended permit tcp eq 3389

access-group outside_access_in in interface outside


2. Use the vpn-filter attribute in the tunnel group policy to restrict the traffic.


This example is for remote access vpn but also works for l2l.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Actions

This Discussion