I've successfully setup a L2L connection between ourselves (5510, 7.2) and a 3rd party (SonicWall).
The security requirements are such that users (contractors) at our office need to connect to various devices at the 3rd party BUT nothing at the 3rd party should connect to anything at our office.
I have tried an ACL outbound (access-group L2L-RESTRICT out interface INSIDE) on the inside interface. But the funny thing is I'm getting hits on the deny statements on the ACL although testing shows no problems connecting to various hosts at our site from the 3rd party. My ACL config looks like the following:
access-list L2L-RESTRICT remark *BEWARE* USE WITH CAUTION - RESTRICTIONS ON 3rd PARTY L2L VPNs
access-list L2L-RESTRICT extended permit icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply
access-list L2L-RESTRICT extended deny ip 192.168.16.0 255.255.255.0 any log
access-list L2L-RESTRICT remark >>> NOTE <<< LAST LINE *MUST* BE PERMIT ANY ANY
access-list L2L-RESTRICT extended permit ip any any
access-group L2L-RESTRICT out interface INSIDE
Their network is obviously 192.168.16.x and they won't be able to use a different source vlan as the 'interesting traffic' ACL will not permit it. So it sounds good in theory
Have I configured this correctly? Is there a better way?
Thanks in advance,
It looks like you might be able to assign a VPN filter ACL via a group policy assigned to each L2L tunnel. I've never done this personally before, but seems like it would work...