Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Limiting Incoming VPN traffic

I have the following problem:

I have a vpn that I need to set up with a remote office. The purpouse of this VPN is to be able to support the servers and PCs at the remote office, so the main office needs access to the whole IP range (ie. Now while I want to be able to have full access from the main office to the remote office, I don't want the remote office to be able to access any of the machines at the main office.

My question is then, can I restrict the VPN traffic to only one way? If I have an outside_cryptomap_# access-list set up to allow the traffic over the VPN, can I then restrict it further by adding a deny in my outside_access_in access-list, or does it just skip those all together?

Community Member

Re: Limiting Incoming VPN traffic

To update...

The devices that will be terminating the VPN will be PIX 515s software version 7.1(1). I need to be able to restrict with commands on the main office PIX because the remote office PIX is accessible by other technicians.

Re: Limiting Incoming VPN traffic

The only way I have heard of ACL'ing VPN traffic on the same box as the VPN end point is to use a loopback interface and PBR. I've never done it though. A firewall of course could take care of it for you. Hopefully if there is a better way someone will post it.

CreatePlease to create content