cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1125
Views
0
Helpful
2
Replies

RV042 VPN site to site access rule help needed

kenlockwood75
Level 1
Level 1

Hello All-

I'm new to the forum so please forgive me if I broke any etiquette.  I have two remote sites.  They each have a RV042 VPN router.  The subnet for one site is 190.200.10.X and the other site is 190.200.85.x.  I only want IP address range 190.200.85.224-228 to be able to access IP address 190.200.10.5-9.  I've tried created access rules but they do not work.  I have servers in each building and I only want the servers to talk to each other through the VPN tunnel and nothing else.  Do the access rules apply only to traffic from the WAN and therefore not apply to a "trusted VPN connection"?  If so, is there anyway to accomplish what I want to do?


Thank you!


Ken

2 Replies 2

wichilds
Level 4
Level 4

Ken,

It sounds as though you need ACLs that will filter LAN to LAN traffic. The main thing you want to keep in mind when writing these, is make sure you deny traffic coming from a specific source (being the other lan) to the destination. The WAN ip addressing is not involved when doing vpn connections and ACLs.

Bill

Alejandro Gallego
Cisco Employee
Cisco Employee

Sorry for butting in....

Have you tried to create the VPN tunnel using the "local" and "remote" security groups as RANGE rather than SUBNET? really that should do exactly what you are describing.

When that is configured, the IPSec tunnel does two things,

1. Only allows traffic from IPs defined in the tunnel (both WAN and LAN source and destination) -- this is the ACL

2. Creates a route statement for all allowed devices through the tunnel.

Try this first and let us know, if you already did this please post a log.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: