Site2Site with port restrictions

Unanswered Question
May 26th, 2009

I'm working on a site-to-site from my ASA5505 to a non-cisco firewall

I need to allow a specific IP on the other side to access my network using the following ports: 80, 443, 2980

this is what I came with:

name A.B.140.2 NONCISCO_Ext description CLIENTSIDE external IP

name A.B.3.69 NONCISCO_Int description CLIENTSIDE internal IP

name 192.168.X.Y MY_LAN


access-list inside_nat0_outside extended permit ip host 192.168.X.Y host A.B.3.69



access-list NONCISCO extended permit ip host 192.168.X.Y host A.B.3.69

access-list NONCISCO_NAT extended permit ip host 192.168.X.Y host A.B.3.69


static (inside,outside) 192.168.X.Y access-list NONCISCO_NAT



crypto ipsec transform-set CLIENTSIDE esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map0 20 set pfs

crypto dynamic-map outside_dyn_map0 20 set transform-set CLIENTSIDE

crypto map CLIENTSIDE_VPN 20 match address NONCISCO

crypto map CLIENTSIDE_VPN 20 set peer A.B.140.2

crypto map CLIENTSIDE_VPN 20 set transform-set CLIENTSIDE

crypto map CLIENTSIDE_VPN 65535 ipsec-isakmp dynamic outside_dyn_map0

crypto map CLIENTSIDE_VPN interface outside


tunnel-group A.B.140.2 type ipsec-l2l

tunnel-group A.B.140.2 ipsec-attributes

pre-shared-key ******



crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


I have 2 problems:

1. group object

I've created a group-object that allow eq 80 \ eq 443 & eq 2980

how\where do I apply it?

when I tried the access-list I got a conflict message since those same port are being used on the external link for one of my apps

2. is there a better way to configure this VPN?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion