Hi. I'm after some advice. Is there any way to restrict the remote end of a site-to-site VPN connection to certain devices on our network? We use a Pix 515E (v7 s/w). I know how to do it for remote users connecting via Cisco client s/w but not for existing site VPNs. Thanks.
How are you doing it for remote access vpn's? You've got several options and they are the same as the ones for your remote access vpns.
For the lan to lan tunnels you could remove sysopt conn permit-ipsec and use interface acls to filter the traffic (will affect all ipsec traffic). You could also be very specific with your interesting traffic and nat exemption acl's to define traffic only to those devices which you wanted remote access.
Hi and thanks for the reply. Existing restrictions on incoming client VPN connections are achieved by creating a new VPN group, restricting that group to one IP address when they connect then limiting what that IP address can access
vpngroup external_support address-pool pool2
vpngroup external_support dns-server
vpngroup external_support wins-server
vpngroup external_support default-domain
vpngroup external_support idle-time 1800
vpngroup external_support password
ip local pool pool2 10.x.x.1-10.x.x.1 mask 255.255.255.255
nat (inside) 0 access-list nonat
access-list nonat permit ip host host 10.x.x.1
access-list nonat permit ip host host 10.x.x.1)
Currently we have a number of people and companies who connect via client and site VPNs so I'm after a solution which will not affect existing connectivity. Can a similar solution to the one I already use be implemented for site vpns. Thanks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...