We have a Site-to-Site VPN set up with one of our clients. We both need access to an internal website each others network. I am trying to set up a filter to only allow port 80 both ways. When I apply a filter only allowing port 80, I also have to open up a range of TCP port. Why and how to get around opening up range of TCP ports.
Are you saying that the only traffic that you want to open the Site-to-Site tunnel is traffic to and from each others WebServer on port 80? I don't understand what Range of TCP ports you are referring to?
If there are no other addresses (networks) used for settting up the site-to-site tunnel you could in essence change the interesting traffic ACL associated to your Tunnel.
Allow only 192.168.2.2/32 And 192.168.30.0/24 to 10.10.0.0\16
ACL's I'm trying to build.
Allow 192.168.30.0 255.255.255.0 to 10.10.10.55 www
Allow 10.10.10.15.0 255.255.255.0 to 192.168.2.2 www
Deny all other traffic
The problem is that this allows the traffic to go over, but it block the connection coming back from the web server. The only solution I have found it to open a range of TCP coming back from the web server address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...