Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-site VPN question

Here is the question, is there any way to make vpn. Think that one router has subnet A in his inside. The other asa firewall has B and C networks. What I want is B and C can reach A via VPN. But the A should only reach B, it shouldnt reach C network. How can we implement this? Is this possible because I know that vpn ACL's should be symmetric.


Super Bronze

Re: Site-to-site VPN question


Not really expirienced with the VPN, but couldnt you just build the L2L VPN with symmetric ACL on both sides and use different ACL to limit the traffic from the local networks as you discribed?

For example have the actual L2L VPN ACLs as:

A --> BC

permit ip a.a.a.a mask b.b.b.b mask

permit ip a.a.a.a mask c.c.c.c mask

BC --> A

permit ip b.b.b.b mask a.a.a.a mask

permit ip c.c.c.c mask a.a.a.a mask

Then use ACL on the B and C LANs interface to allow traffic freely to a.a.a.a from b.b.b.b and c.c.c.c

And would the router perhaps need abit different ACLs as it doesnt handle the traffic the sameway as the ASA on the other end?

Something like

permit ip a.a.a.a. mask b.b.b.b mask

permit tcp a.a.a.a mask c.c.c.c mask established

deny ip a.a.a.a mask c.c.c.c mask

or something to that direction?

As i said I aint too expirienced with VPNs and i have never really built them with anything else other than 2 firewalls as endpoints.