Limiting access to certain servers with a site to site vpn between two ASA devices

Unanswered Question
Jan 2nd, 2014
User Badges:

We recently lost our CISCO admin and I have to setup a site to site vpn connection with another company and was looking at the site to site vpn wizard. This looks fairly self-explanatory but I had a question, can I limit the access to a certain server and can I do it through the wizard? Can I choose a server as the local network on step 5 (Hosts and Networks) will this accomplish what I am trying to do?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Fri, 01/03/2014 - 00:16
User Badges:
  • Cisco Employee,

William,


You are free to limit the traffic selectors to whatever Subnet/Host/IP protocol/port you wish (both source and destination)


However bare that in mind:

- Keep the ACLs as specific as possible

- Aggregarte the ACLs whenever possible.


There is a balancing act there to be done. More access list entries will mean (potentially) more IPsec SAs with all the good and bad things which come from it.


Another way of achieving what you're looking for is using vpn-filter funcionality.

http://www.cisco.com/en/US/docs/security/asa/command-reference/v.html#wp1842564


It allows you to associate an access list which will filter inbound traffic only.


M.

Actions

This Discussion