Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

configuring accesslist in a multisite vpn environment

Hi all,

I have successfully setup a multisite vpn environment, one that is similar to the link below.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

My HQ office which is accepting site to site vpn connection from various other site offices is using a cisco asa5510.

My other site offices are using either pix515 or asa5510.

Network traffic between site offices is able to route to each other going through my HQ office asa5510 firewall.

If i want to use accesslist to restrict traffic between the site offices, can i implement this accesslist on my HQ office asa5510 for centralise control?

Or do i need to implement it on individual site office firewall which is kind of troublesome. Pls advise, thks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: configuring accesslist in a multisite vpn environment

Great, thanks. Pls kindly mark the post as answered if you have no further questions. Thanks.

3 REPLIES
Super Bronze

Re: configuring accesslist in a multisite vpn environment

I would recommend that you control access from remote to HQ via ACL applied on the remote site. Reasons being:

1) Since the traffic will be blocked, it would be good to block it sooner than later to save on bandwith.

2) If traffic is blocked in the HQ, it consumes the resources both on the remote site (ie: traffic being encrypted, sent across the vpn tunnel, and then finally be blocked on the HQ end). While, if you block it on the remote site, the traffic will not even be processed which saves resources along the way).

3) Simpler implementation at the remote end as the ACL will be simpler and it only reflects the remote site access).

However, you can also configure ACL on the HQ site if you wish. Outbound ACL on the HQ inside interfaces can be configured to restrict access, however, please kindly be advised that you would also need to take into consideration all other traffic going outbound through your inside interface (this will include traffic initiated from outside towards inside, other inside interfaces, dmz interfaces, and also all the remote vpn access towards your inside interface).

Hope that answers your question.

New Member

Re: configuring accesslist in a multisite vpn environment

Hi Jennifer,

Thk you for your prompt response.

I will block it at the remote site to save traffic and also for simpler implementation compare to configuring it in HQ.

Super Bronze

Re: configuring accesslist in a multisite vpn environment

Great, thanks. Pls kindly mark the post as answered if you have no further questions. Thanks.

207
Views
0
Helpful
3
Replies