07-19-2008 12:27 PM - edited 03-11-2019 06:17 AM
Hi, I have just estlablished a Site to Site Tunnel between our office and ISP and exempt IP protocol between both end and its working fine, I can access the remote network and they can access my office network as well. Now I want that we access the remote network and access all ports as we are able to access but I dont want that remote site able to access my office network except only 25 port. Please advice. The access list is below mentioned:-
access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0
Office Inside Network 192.168.50.0/24
Office DMZ Network 192.168.51.0/24
Remote Network 172.17.80.247/24
I also need that I could able to ping remote network machines and servers from office network Inside and DMZ Zones.
Thanks
Solved! Go to Solution.
07-19-2008 01:35 PM
access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25
group-policy x.x.x.x attributes
vpn-filter value XXX
07-19-2008 01:02 PM
no sysopt connection permit-ipsec
access-list OUTSIDE-IN permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25
access-group OUTSIDE-IN in int outside
or another variant
under "group-policy x.x.x.x attributes"
you can use "vpn-filter value ACL"
configure terminal
07-19-2008 01:09 PM
If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop.
Using for ISP Tunnel
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
Can you post the commands one by one. Here I am bit confused. Thanks
07-19-2008 01:35 PM
access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25
group-policy x.x.x.x attributes
vpn-filter value XXX
07-19-2008 01:51 PM
Hi, we dont need to delete any command as I mentioned and second would like to understand that vpn-filter is a command in ASA.
07-19-2008 01:58 PM
if you want to understand :)
read the configuration guide.
vpn-filter
To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.
vpn-filter {value ACL name | none}
no vpn-filter
07-19-2008 02:02 PM
Thanks, last I want to know that is there any other way to do the same process.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: