Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
5
Helpful
9
Replies

Site-To_Site_VPN

Go to solution
Stephen Sisson
Level 1
Level 1

‎07-18-2013 06:23 AM

Hello All,

Need some help with this site-to-site VPN with another company six hundred miles away?

We plan to use a Cisco ASA5505 firewall; on their side they will be using a router for the VPN tunnel.

We are looking for two things with the first being is there step-by-step documentation showing how to create this site-to-site VPN with another company and if so please send the link or PDF.

We also need to know if it's possible after creating the Site-to-site with this company to lock things down by only allowing them access to one or three servers on our network, making things more secure on our network and from prying eyes.

Thank you

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-18-2013 06:27 AM

Hi,

Here is a link to  video here on Cisco Support Community

https://supportforums.cisco.com/videos/2763

Here is a link to a (older) Cisco document of the same

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-18-2013 06:47 AM

Oh and also,

On the ASA you can use a command

no sysopt connection permit-vpn

To disable the default setting which would allow all traffic coming through a VPN connection to bypass the "outside" interface ACL. With the above change you would use the "outside" interface ACL to allow and deny traffic even for the traffic coming through the VPN connection.

Naturally if you have some existing VPN connections then you would have to configure ACL rules for those before you change the above setting. Otherwise they would start to get blocked.

Other option is configuring VPN Filter ACL for the connection but its a bit harder and time consuming to manage.

- Jouni

View solution in original post

0 Helpful

Go to solution
Azubuike Obiora
Level 1
Level 1

‎07-18-2013 07:03 AM

Hi steve,

Jouni has given you very wonderful help links. Just to add to his reply and ans your 2nd question, Yes it's possible to lock just 3 of your server for them to have access. For instance say you are using ASA with software 8.3 and higher here is a sample configue of what you need to do for the ACL

access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

object network 3-SERVERS

host 192.168.1.1

host 192.168.1.2

host 192.168.1.3

object network Remote_office

subnet 172.16.1.0 255.255.255.0

nat(inside,outside) 1 static source 3-SERVERS 3-SERVERS destination static Remote_office Remote_office

this should work for you on ASA softwer 8.3 and higher  for software 8.2 and lower this should suffice


access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

access-list NO-NAT extended permit ip host 192.168.1.1 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.2 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.3 0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

I believe this would help you out! The rest of the configs, go via the links Jouni sent to you. Have a good one.

Teddy



View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-18-2013 07:12 AM

No problem,

I am actually sitting at work doing both work and CSC at the same time. I might be slightly out of my mind

Well my summer vacations starts after this week though I would imagine that I will be writing here still (as I am slightly out of my mind )

- Jouni

View solution in original post

0 Helpful

Go to solution
Azubuike Obiora
Level 1
Level 1
In response to Stephen Sisson

‎07-18-2013 07:19 AM

Hi Steve,

You are most welcome! In my opinion most of the thanks should go to Jouni! I personally would say I've learned a lot from him! Jouni not trying to flatter you but just being honest! You are a blessing to this forum! By the way Jouni enjoy your summer vac! Just a little heads up! I still havent resolved the issue with the vpn so i intend contacting TAC for further assistance.

Have a good one steve.

Cheers

Teddy

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-18-2013 06:27 AM

Hi,

Here is a link to  video here on Cisco Support Community

https://supportforums.cisco.com/videos/2763

Here is a link to a (older) Cisco document of the same

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Hope this helps

- Jouni

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Jouni Forss

‎07-18-2013 06:47 AM

Hello Jouni

Nice video explaining step-by-step, thanks for this.

How about locking down the site-to-site VPN giving them access to one or more servers and not the whole subnet, is this possible, do you have a video or documentation / both showing this.

Thank you Sir

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-18-2013 06:47 AM

Oh and also,

On the ASA you can use a command

no sysopt connection permit-vpn

To disable the default setting which would allow all traffic coming through a VPN connection to bypass the "outside" interface ACL. With the above change you would use the "outside" interface ACL to allow and deny traffic even for the traffic coming through the VPN connection.

Naturally if you have some existing VPN connections then you would have to configure ACL rules for those before you change the above setting. Otherwise they would start to get blocked.

Other option is configuring VPN Filter ACL for the connection but its a bit harder and time consuming to manage.

- Jouni

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Jouni Forss

‎07-18-2013 06:54 AM

Any documentation / examples show how to put this in place.

Let me also ask if you were installing this site-to-site VPN with another company to move sure data between both parties would you allow access to the whole subnet or lock things down to one or more servers?

Thank you Sir

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Stephen Sisson

‎07-18-2013 07:10 AM

Hi,

In the cases where you are connecting 2 offices of your own company I might have looser access rules but if we are talking about a connection to a 3rd party site then I would use strict rules on what is allowed to connect to my network.

Here is one document on VPN Filter ACLs for both CLient VPN and L2L VPN. Notice that they are configured a bit different way.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please do remember to mark a reply as the correct answer if you feel it has answered your question.

Naturally feel free to ask more if needed.

- Jouni

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-18-2013 07:12 AM

No problem,

I am actually sitting at work doing both work and CSC at the same time. I might be slightly out of my mind

Well my summer vacations starts after this week though I would imagine that I will be writing here still (as I am slightly out of my mind )

- Jouni

0 Helpful

Go to solution
Azubuike Obiora
Level 1
Level 1

‎07-18-2013 07:03 AM

Hi steve,

Jouni has given you very wonderful help links. Just to add to his reply and ans your 2nd question, Yes it's possible to lock just 3 of your server for them to have access. For instance say you are using ASA with software 8.3 and higher here is a sample configue of what you need to do for the ACL

access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

object network 3-SERVERS

host 192.168.1.1

host 192.168.1.2

host 192.168.1.3

object network Remote_office

subnet 172.16.1.0 255.255.255.0

nat(inside,outside) 1 static source 3-SERVERS 3-SERVERS destination static Remote_office Remote_office

this should work for you on ASA softwer 8.3 and higher  for software 8.2 and lower this should suffice


access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

access-list NO-NAT extended permit ip host 192.168.1.1 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.2 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.3 0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

I believe this would help you out! The rest of the configs, go via the links Jouni sent to you. Have a good one.

Teddy



0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Azubuike Obiora

‎07-18-2013 07:08 AM

Thank you both for the step-by-step instruction for making this happen.

I'm so blessed to have you both working today and available to help with this.

Thank you very much Guys

0 Helpful

Go to solution
Azubuike Obiora
Level 1
Level 1
In response to Stephen Sisson

‎07-18-2013 07:19 AM

Hi Steve,

You are most welcome! In my opinion most of the thanks should go to Jouni! I personally would say I've learned a lot from him! Jouni not trying to flatter you but just being honest! You are a blessing to this forum! By the way Jouni enjoy your summer vac! Just a little heads up! I still havent resolved the issue with the vpn so i intend contacting TAC for further assistance.

Have a good one steve.

Cheers

Teddy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents