Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
2
Replies

Hub and Spoke Access List config question

cavemanbobby
Level 1
Level 1

‎03-23-2009 11:17 AM - edited ‎03-11-2019 08:08 AM

So I've got a hub and spoke config setup between three sites (reston, DC, and NY with DC being the middle site btwn the other two) currently up and operational (thanks, acomiskey). All is good to go, but I wanted to lock down some ports/services and don't have much experience with access lists.

I'm only going to be doing rsync over TCP port 873 between DC and NY (DC will be doing an RSYNC pull from NY only). I'd also like to have ICMP for troubleshooting, as well, if possible.

I also wanted to only allow SSH access and icmp *from* Reston to DC, so the only thing Reston can do is SSH and PING the DC hosts.

Right now Reston can get to NY through DC (hence the hub and spoke). I'd like for that to continue after locking down rsync between DC and NY.

Hope that's not too confusing :) Thanks in advance.

Labels:
Preview file
4 KB
Preview file
4 KB
Preview file
4 KB
0 Helpful
2 Replies 2

wong34539
Level 6
Level 6

‎03-27-2009 03:49 PM

The sample configuration in the below URL shows a hub and spoke IPsec design between three routers. This configuration differs from other hub and spoke configurations because in this example, communication is enabled between the spoke sites by going through the hub. In other words, there is not a direct IPsec tunnel between the two spoke routers. All packets are sent across the tunnel to the hub router where it redistributes them out the IPsec tunnel shared with the other spoke router.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

0 Helpful

javzone
Level 1
Level 1

‎03-27-2009 05:01 PM

hello

please find access-list you may req to configure at Reston and likewise you coudl make for the other sites as well

At Reston

no access-list 100 extended permit ip 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list 100 extended line 1 permit tcp 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0 eq 873 log

access-list 100 extended line 2 permit tcp 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0 eq 22 log

access-list 100 extended line 3 permit icmp 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0 eq echo log

access-list 100 extended line 4 permit icmp 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0 eq echo-reply log

access-group 100 in interface inside

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card