Site-to-site VPN question

Unanswered Question
Dec 31st, 2008
User Badges:

Here is the question, is there any way to make vpn. Think that one router has subnet A in his inside. The other asa firewall has B and C networks. What I want is B and C can reach A via VPN. But the A should only reach B, it shouldnt reach C network. How can we implement this? Is this possible because I know that vpn ACL's should be symmetric.

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 12/31/2008 - 01:45
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Not really expirienced with the VPN, but couldnt you just build the L2L VPN with symmetric ACL on both sides and use different ACL to limit the traffic from the local networks as you discribed?


For example have the actual L2L VPN ACLs as:


A --> BC


permit ip a.a.a.a mask b.b.b.b mask

permit ip a.a.a.a mask c.c.c.c mask


BC --> A


permit ip b.b.b.b mask a.a.a.a mask

permit ip c.c.c.c mask a.a.a.a mask


Then use ACL on the B and C LANs interface to allow traffic freely to a.a.a.a from b.b.b.b and c.c.c.c


And would the router perhaps need abit different ACLs as it doesnt handle the traffic the sameway as the ASA on the other end?


Something like


permit ip a.a.a.a. mask b.b.b.b mask

permit tcp a.a.a.a mask c.c.c.c mask established

deny ip a.a.a.a mask c.c.c.c mask


or something to that direction?


As i said I aint too expirienced with VPNs and i have never really built them with anything else other than 2 firewalls as endpoints.

Actions

This Discussion