Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Open only one port between Site to Site Tunnel

Hi, I have just estlablished a Site to Site Tunnel between our office and ISP and exempt IP protocol between both end and its working fine, I can access the remote network and they can access my office network as well. Now I want that we access the remote network and access all ports as we are able to access but I dont want that remote site able to access my office network except only 25 port. Please advice. The access list is below mentioned:-

access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list outside_cryptomap_3 extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0

Office Inside Network 192.168.50.0/24

Office DMZ Network 192.168.51.0/24

Remote Network 172.17.80.247/24

I also need that I could able to ping remote network machines and servers from office network Inside and DMZ Zones.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Open only one port between Site to Site Tunnel

access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

group-policy x.x.x.x attributes

vpn-filter value XXX

6 REPLIES

Re: Open only one port between Site to Site Tunnel

no sysopt connection permit-ipsec

access-list OUTSIDE-IN permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

access-group OUTSIDE-IN in int outside

or another variant

under "group-policy x.x.x.x attributes"

you can use "vpn-filter value ACL"

configure terminal

New Member

Re: Open only one port between Site to Site Tunnel

If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop.

Using for ISP Tunnel

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

Can you post the commands one by one. Here I am bit confused. Thanks

Re: Open only one port between Site to Site Tunnel

access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25

group-policy x.x.x.x attributes

vpn-filter value XXX

New Member

Re: Open only one port between Site to Site Tunnel

Hi, we dont need to delete any command as I mentioned and second would like to understand that vpn-filter is a command in ASA.

Re: Open only one port between Site to Site Tunnel

if you want to understand :)

read the configuration guide.

vpn-filter

To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.

You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.

vpn-filter {value ACL name | none}

no vpn-filter

New Member

Re: Open only one port between Site to Site Tunnel

Thanks, last I want to know that is there any other way to do the same process.

154
Views
0
Helpful
6
Replies
CreatePlease to create content