09-30-2007 05:43 PM - edited 02-21-2020 03:17 PM
It is my understanding that in order to restrict vpn connection either site-to-site or client via ports the "sysopt connection permit ipsec" command needs to be disabled and the control then comes from the access-list that is inbound on the outside interface.
Here is my scenario: 3 site to site and client vpn tunnels
Site 1 needs access to all internal hosts on 192.168.50.0 for port 5900 and full access to 192.168.50.135
Site 2 needs full access to 192.168.50.205, 192.168.50.166, 192.168.50.204 host only
Site 3 needs full access to 192.168.50.5 host only
Here is my config:
access-list acl_outside permit tcp any host a.a.a.a eq https -- this will be a static translation
access-list acl_outside permit tcp any host a.a.a.a eq 3389 -- this will be a static translation
access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 5900
access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.10.0 255.255.255.0
access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0 eq 5900
access-list acl_outside permit ip 192.168.50.135 255.255.255.255 192.168.220.0 255.255.255.0
access-list acl_outside permit tcp 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0 eq 5900
access-list acl_outside permit ip 192.168.50.135 255.255.255.255 172.20.20.0 255.255.255.0
access-list acl_outside permit ip 192.168.50.205 255.255.255.255 150.2.0.0 255.255.0.0
access-list acl_outside permit ip 192.168.50.204 255.255.255.255 150.2.0.0 255.255.0.0
access-list acl_outside permit ip 192.168.50.166 255.255.255.255 150.2.0.0 255.255.0.0
access-list acl_outside permit ip 192.168.50.5 255.255.255.255 10.99.2.0 255.255.0.0
access-list acl_outside permit tcp 192.168.50.135 255.255.255.255 192.168.60.0 255.255.255.0 eq 3389
access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list nonat permit ip 192.168.50.0 255.255.255.0 172.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.50.0 255.255.255.0 150.2.0.0 255.255.0.0
access-list nonat permit ip 192.168.50.0 255.255.255.0 10.99.2.0 255.255.0.0
ip local pool clientvpnpool 192.168.60.1-192.168.60.50
nat (inside) 0 access-list nonat
access-group acl_outside in interface outside
no sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set peer x.x.x.x -- Site 1 192.168.10.0 and 192.168.220.0 and 172.20.20.0 Network
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 set peer y.y.y.y -- Site 2 150.2.0.0 Network
crypto map mymap 20 set transform-set myset
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 set per z.z.z.z -- Site 3 10.99.2.0 Network
crypto map mymap 40 ipsec-isakmp dynamic dynmap -- 192.168.60.0 Client VPN Network
crytpo map mymap interface outside
Will this work for my scenarion?
10-01-2007 06:08 AM
Looks like a lot of your statements are backwards. If the remote network is 192.168.10.0 and the local is 192.168.50.0 then they should look like this...
access-list acl_outside permit tcp 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 eq 5900
10-01-2007 04:13 PM
Yes you are correct I do have them backwards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: