Open only one port between Site to Site Tunnel

Answered Question
Jul 19th, 2008
User Badges:

Hi, I have just estlablished a Site to Site Tunnel between our office and ISP and exempt IP protocol between both end and its working fine, I can access the remote network and they can access my office network as well. Now I want that we access the remote network and access all ports as we are able to access but I dont want that remote site able to access my office network except only 25 port. Please advice. The access list is below mentioned:-


access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list outside_cryptomap_3 extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0


Office Inside Network 192.168.50.0/24

Office DMZ Network 192.168.51.0/24

Remote Network 172.17.80.247/24


I also need that I could able to ping remote network machines and servers from office network Inside and DMZ Zones.


Thanks

Correct Answer by a.alekseev about 8 years 11 months ago

access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

group-policy x.x.x.x attributes

vpn-filter value XXX


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.alekseev Sat, 07/19/2008 - 13:02
User Badges:
  • Gold, 750 points or more

no sysopt connection permit-ipsec


access-list OUTSIDE-IN permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

access-group OUTSIDE-IN in int outside


or another variant


under "group-policy x.x.x.x attributes"

you can use "vpn-filter value ACL"

configure terminal

nikuhappy2010 Sat, 07/19/2008 - 13:09
User Badges:

If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop.


Using for ISP Tunnel

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes


Can you post the commands one by one. Here I am bit confused. Thanks

Correct Answer
a.alekseev Sat, 07/19/2008 - 13:35
User Badges:
  • Gold, 750 points or more

access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

group-policy x.x.x.x attributes

vpn-filter value XXX


nikuhappy2010 Sat, 07/19/2008 - 13:51
User Badges:

Hi, we dont need to delete any command as I mentioned and second would like to understand that vpn-filter is a command in ASA.

a.alekseev Sat, 07/19/2008 - 13:58
User Badges:
  • Gold, 750 points or more

if you want to understand :)

read the configuration guide.


vpn-filter

To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.


You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.


vpn-filter {value ACL name | none}


no vpn-filter



nikuhappy2010 Sat, 07/19/2008 - 14:02
User Badges:

Thanks, last I want to know that is there any other way to do the same process.

Actions

This Discussion