12-24-2009 07:17 AM
12-24-2009 09:13 AM
Kurt,
Are you saying that the only traffic that you want to open the Site-to-Site tunnel is traffic to and from each others WebServer on port 80? I don't understand what Range of TCP ports you are referring to?
If there are no other addresses (networks) used for settting up the site-to-site tunnel you could in essence change the interesting traffic ACL associated to your Tunnel.
AT HEADEND or HQ
access-list VPN-Hq2Remote ext permit tcp 192.168.200.0 255.255.255.0 gt 1024 host 192.168.100.10 eq www
AT Remote Site
access-list VPN-Remote2Hq ext permit tcp 192.168.100.0 255.255.255.0 gt 1024 host 192.168.200.10 eq www
Hope this helps,
Joe
12-28-2009 06:02 AM
HQ
Web Serve 192.168.2.2
Users 192.168.30.X
Remote site
Web Server 10.10.10.55
Users 10.10.15.X
Current tunnel
Allow only 192.168.2.2/32 And 192.168.30.0/24 to 10.10.0.0\16
ACL's I'm trying to build.
Allow 192.168.30.0 255.255.255.0 to 10.10.10.55 www
Allow 10.10.10.15.0 255.255.255.0 to 192.168.2.2 www
Deny all other traffic
The problem is that this allows the traffic to go over, but it block the connection coming back from the web server. The only solution I have found it to open a range of TCP coming back from the web server address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: