07-19-2008 12:27 PM - edited 03-11-2019 06:17 AM
Hi, I have just estlablished a Site to Site Tunnel between our office and ISP and exempt IP protocol between both end and its working fine, I can access the remote network and they can access my office network as well. Now I want that we access the remote network and access all ports as we are able to access but I dont want that remote site able to access my office network except only 25 port. Please advice. The access list is below mentioned:-
access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0
Office Inside Network 192.168.50.0/24
Office DMZ Network 192.168.51.0/24
Remote Network 172.17.80.247/24
I also need that I could able to ping remote network machines and servers from office network Inside and DMZ Zones.
Thanks
Solved! Go to Solution.
07-19-2008 01:35 PM
access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25
group-policy x.x.x.x attributes
vpn-filter value XXX
07-19-2008 01:02 PM
no sysopt connection permit-ipsec
access-list OUTSIDE-IN permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25
access-group OUTSIDE-IN in int outside
or another variant
under "group-policy x.x.x.x attributes"
you can use "vpn-filter value ACL"
configure terminal
07-19-2008 01:09 PM
If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop.
Using for ISP Tunnel
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
Can you post the commands one by one. Here I am bit confused. Thanks
07-19-2008 01:35 PM
access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25
group-policy x.x.x.x attributes
vpn-filter value XXX
07-19-2008 01:51 PM
Hi, we dont need to delete any command as I mentioned and second would like to understand that vpn-filter is a command in ASA.
07-19-2008 01:58 PM
if you want to understand :)
read the configuration guide.
vpn-filter
To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.
vpn-filter {value ACL name | none}
no vpn-filter
07-19-2008 02:02 PM
Thanks, last I want to know that is there any other way to do the same process.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide