Solved: Open only one port between Site to Site Tunnel

nikuhappy2010 · ‎07-19-2008

Hi, I have just estlablished a Site to Site Tunnel between our office and ISP and exempt IP protocol between both end and its working fine, I can access the remote network and they can access my office network as well. Now I want that we access the remote network and access all ports as we are able to access but I dont want that remote site able to access my office network except only 25 port. Please advice. The access list is below mentioned:-

access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list outside_cryptomap_3 extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0

Office Inside Network 192.168.50.0/24

Office DMZ Network 192.168.51.0/24

Remote Network 172.17.80.247/24

I also need that I could able to ping remote network machines and servers from office network Inside and DMZ Zones.

Thanks

a.alekseev · ‎07-19-2008

access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

group-policy x.x.x.x attributes

vpn-filter value XXX

View solution in original post

a.alekseev · ‎07-19-2008

no sysopt connection permit-ipsec

access-list OUTSIDE-IN permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

access-group OUTSIDE-IN in int outside

or another variant

under "group-policy x.x.x.x attributes"

you can use "vpn-filter value ACL"

configure terminal

nikuhappy2010 · ‎07-19-2008

If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop.

Using for ISP Tunnel

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

Can you post the commands one by one. Here I am bit confused. Thanks

a.alekseev · ‎07-19-2008

access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

group-policy x.x.x.x attributes

vpn-filter value XXX

nikuhappy2010 · ‎07-19-2008

Hi, we dont need to delete any command as I mentioned and second would like to understand that vpn-filter is a command in ASA.

a.alekseev · ‎07-19-2008

if you want to understand :)

read the configuration guide.

vpn-filter

To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.

You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.

vpn-filter {value ACL name | none}

no vpn-filter

nikuhappy2010 · ‎07-19-2008

Thanks, last I want to know that is there any other way to do the same process.