08-18-2008 05:10 AM
hey guys, easy stuff here.
-Router 1800 series
-LAN 10.77.77.0/24
-Public IP 69.69.69.4
-Remote router 800 series
-Remote Office LAN 10.66.66.0/24
-Remote Office Public IP 60.60.60.5
Currently, there is a L2L tunnel using IPSec between the 2 networks and those inside LANs can communicate with each other without any problems.
The requirement now is to lock this tunnel down to allow only the following:
-Remote Office LAN (10.66.66.0/24) hosts should not access the internet. In fact, there are only 3 host (10.66.66.200 .201 and .202) and these 3 hosts should only be allowed access to 10.77.77.20 and to 10.77.77.21 on port tcp 9399, and nothing else.
How will this be accomplished?
Thanks in advanced
08-18-2008 06:51 AM
access-list 100 permit tcp host 10.66.66.200 host 10.77.77.20 eq 3999
access-list 100 permit tcp host 10.66.66.200 host 10.77.77.21 eq 3999
and repeat the same ACL entries for other three clients 201 and 202
then apply it on the outside interface in the inbound direction
like
interface [port]
ip access-group 100 in
if wonder where is the deny
after each ACL there is in the end deny called implicit deny
so evry thing not permited in the above ACL will be denied
if u want to make explicite deny just add the following line after u finish all the entries
access-list 100 deny ip any any
good luck
please, if helpful Rate
08-18-2008 09:53 AM
This is what confuses me. If the traffic is originating from the inside LAN (and this is exactly the traffic we want to deny to anything except to those hosts), why will we apply the access list to the Outside interface?
And to make me confuse even more, why will we tell the outside interace that the access-list is applied in the IN direction?? I thought the traffic coming from the outside world and destined to our Outside Interface will be considered as IN direction.
08-18-2008 04:19 PM
ohh sorry mate i thought this traffic is coming to u thorugh VPN
ok
if u want the only the above traffic to go through VPN
make the ACLs i have mentioned above
then
inthe crypto map config included in the interesting traffic with the command
match address 100
this way only the traffic allwed in the ACL will bring up the VPN tunnel
for internet
the same ACL which is allow only hosts to access the servers on the spesified port
apply it on the remote route inside interface in the inbound direction
in other words
all the above config in the remote site (close to the hosts u want to restrect them)
do the ACL 100 as i mentioned above finish all its entries apply it for vpn interesting traffic and inbound in the inside interface of the remote router
hope this time helpful :) sorry about the misunderstanding
please, if helpful Rate
if u need any more details just post it here
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: