Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I lock down a Firewall on a site to site VPN

I have a site to site VPN and management wants the whole thing locked down excpet for 3 ports (5950, 5631, and 5632). Is this even possible? Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How do I lock down a Firewall on a site to site VPN

Yes, I am assuming that you are using ASA for vpn.

so if the site to site vpn interesting traffic is  site-a 10.0.1.0/24 to site-b 10.0.2.0/24 then

site a ( which needs security )

disable sysopt permit vpn using

no sysopt connection permit-vpn

now the vpn traffic will be scanned against the access rules on the outside interface so place rule

object-group service allowed tcpudp

port-object eq 5025

access-list outside-in ext per tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 object-group allowed

Thanks

Manish

3 REPLIES
New Member

Re: How do I lock down a Firewall on a site to site VPN

Re: How do I lock down a Firewall on a site to site VPN

Yes, I am assuming that you are using ASA for vpn.

so if the site to site vpn interesting traffic is  site-a 10.0.1.0/24 to site-b 10.0.2.0/24 then

site a ( which needs security )

disable sysopt permit vpn using

no sysopt connection permit-vpn

now the vpn traffic will be scanned against the access rules on the outside interface so place rule

object-group service allowed tcpudp

port-object eq 5025

access-list outside-in ext per tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 object-group allowed

Thanks

Manish

New Member

Re: How do I lock down a Firewall on a site to site VPN

That worked. Thanks.

292
Views
0
Helpful
3
Replies