Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn tunnel and and access lists

hi all

I am in progress of creating a site to site tunnel between 2 sites, we need to access e-mail, internet and rdp from site A on site B, and we need to access rdp, telnet and mail from site B to site A, can anyone tell me what i need to do to create the tunnel, do I just allow source to destination networks, and then use an access list to prohibit the ports, or do I do this in the tunnel setup itself

does the tunnel encrypted networks need to be exactly the same both ends ?

thanks

1 REPLY
Green

Re: vpn tunnel and and access lists

Yes, the interesting traffic should be mirrors of each other on either end. For instance...

Site A

access-list crypto extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B

access-list crypto extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

There are 2 options for restricting the vpn traffic.

1. remove "sysopt connection permit-ipsec/vpn". This will force all ipsec traffic to be filtered in your regular interface access lists. So to allow traffic from site B to site A...

Site A

no sysopt connection permit-vpn

access-list outside_access_in extended permit tcp eq 3389

access-list outside_access_in extended permit tcp eq 21

access-list outside_access_in extended permit tcp eq 25

access-group outside_access_in in interface outside

Site B

no sysopt connection permit-vpn

access-list outside_access_in extended permit tcp eq 25

access-list outside_access_in extended permit tcp eq http

access-list outside_access_in extended permit tcp eq 3389

access-group outside_access_in in interface outside

2. Use the vpn-filter attribute in the tunnel group policy to restrict the traffic.

This example is for remote access vpn but also works for l2l.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

107
Views
0
Helpful
1
Replies