Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricted access for a site-to-site VPN

Hi. I'm after some advice. Is there any way to restrict the remote end of a site-to-site VPN connection to certain devices on our network? We use a Pix 515E (v7 s/w). I know how to do it for remote users connecting via Cisco client s/w but not for existing site VPNs. Thanks.

4 REPLIES
Green

Re: Restricted access for a site-to-site VPN

How are you doing it for remote access vpn's? You've got several options and they are the same as the ones for your remote access vpns.

For the lan to lan tunnels you could remove sysopt conn permit-ipsec and use interface acls to filter the traffic (will affect all ipsec traffic). You could also be very specific with your interesting traffic and nat exemption acl's to define traffic only to those devices which you wanted remote access.

New Member

Re: Restricted access for a site-to-site VPN

Hi and thanks for the reply. Existing restrictions on incoming client VPN connections are achieved by creating a new VPN group, restricting that group to one IP address when they connect then limiting what that IP address can access

(e.g.

vpngroup external_support address-pool pool2

vpngroup external_support dns-server

vpngroup external_support wins-server

vpngroup external_support default-domain

vpngroup external_support idle-time 1800

vpngroup external_support password

ip local pool pool2 10.x.x.1-10.x.x.1 mask 255.255.255.255

nat (inside) 0 access-list nonat

access-list nonat permit ip host host 10.x.x.1

access-list nonat permit ip host host 10.x.x.1)

Currently we have a number of people and companies who connect via client and site VPNs so I'm after a solution which will not affect existing connectivity. Can a similar solution to the one I already use be implemented for site vpns. Thanks.

Green

Re: Restricted access for a site-to-site VPN

Sure, you can do something like this with interesting traffic...

access-list outside_cryptomap_20 extended permit ip host

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.1

access-list outside_cryptomap_40 extended permit ip host

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer x.x.x.2

Another option is to implement a vpn-filter and apply it to specific tunnel group policies. This document is for remote access vpn's but it works for lan to lan group policies as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

New Member

Re: Restricted access for a site-to-site VPN

Thanks for the reply. I'll try it out over the next few weeks and let you know if I get stuck

153
Views
13
Helpful
4
Replies