07-18-2013 06:23 AM
Hello All,
Need some help with this site-to-site VPN with another company six hundred miles away?
We plan to use a Cisco ASA5505 firewall; on their side they will be using a router for the VPN tunnel.
We are looking for two things with the first being is there step-by-step documentation showing how to create this site-to-site VPN with another company and if so please send the link or PDF.
We also need to know if it's possible after creating the Site-to-site with this company to lock things down by only allowing them access to one or three servers on our network, making things more secure on our network and from prying eyes.
Thank you
Solved! Go to Solution.
07-18-2013 06:27 AM
Hi,
Here is a link to video here on Cisco Support Community
https://supportforums.cisco.com/videos/2763
Here is a link to a (older) Cisco document of the same
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml
Hope this helps
- Jouni
07-18-2013 06:47 AM
Oh and also,
On the ASA you can use a command
no sysopt connection permit-vpn
To disable the default setting which would allow all traffic coming through a VPN connection to bypass the "outside" interface ACL. With the above change you would use the "outside" interface ACL to allow and deny traffic even for the traffic coming through the VPN connection.
Naturally if you have some existing VPN connections then you would have to configure ACL rules for those before you change the above setting. Otherwise they would start to get blocked.
Other option is configuring VPN Filter ACL for the connection but its a bit harder and time consuming to manage.
- Jouni
07-18-2013 07:03 AM
Hi steve,
Jouni has given you very wonderful help links. Just to add to his reply and ans your 2nd question, Yes it's possible to lock just 3 of your server for them to have access. For instance say you are using ASA with software 8.3 and higher here is a sample configue of what you need to do for the ACL
access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255
object network 3-SERVERS
host 192.168.1.1
host 192.168.1.2
host 192.168.1.3
object network Remote_office
subnet 172.16.1.0 255.255.255.0
nat(inside,outside) 1 static source 3-SERVERS 3-SERVERS destination static Remote_office Remote_office
this should work for you on ASA softwer 8.3 and higher for software 8.2 and lower this should suffice
access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255
access-list NO-NAT extended permit ip host 192.168.1.1 0 172.16.1.0 255.255.255.0
access-list NO-NAT extended permit ip host 192.168.1.2 0 172.16.1.0 255.255.255.0
access-list NO-NAT extended permit ip host 192.168.1.3 0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
I believe this would help you out! The rest of the configs, go via the links Jouni sent to you. Have a good one.
Teddy
07-18-2013 07:12 AM
No problem,
I am actually sitting at work doing both work and CSC at the same time. I might be slightly out of my mind
Well my summer vacations starts after this week though I would imagine that I will be writing here still (as I am slightly out of my mind )
- Jouni
07-18-2013 07:19 AM
Hi Steve,
You are most welcome! In my opinion most of the thanks should go to Jouni! I personally would say I've learned a lot from him! Jouni not trying to flatter you but just being honest! You are a blessing to this forum! By the way Jouni enjoy your summer vac! Just a little heads up! I still havent resolved the issue with the vpn so i intend contacting TAC for further assistance.
Have a good one steve.
Cheers
Teddy
07-18-2013 06:27 AM
Hi,
Here is a link to video here on Cisco Support Community
https://supportforums.cisco.com/videos/2763
Here is a link to a (older) Cisco document of the same
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml
Hope this helps
- Jouni
07-18-2013 06:47 AM
Hello Jouni
Nice video explaining step-by-step, thanks for this.
How about locking down the site-to-site VPN giving them access to one or more servers and not the whole subnet, is this possible, do you have a video or documentation / both showing this.
Thank you Sir
07-18-2013 06:47 AM
Oh and also,
On the ASA you can use a command
no sysopt connection permit-vpn
To disable the default setting which would allow all traffic coming through a VPN connection to bypass the "outside" interface ACL. With the above change you would use the "outside" interface ACL to allow and deny traffic even for the traffic coming through the VPN connection.
Naturally if you have some existing VPN connections then you would have to configure ACL rules for those before you change the above setting. Otherwise they would start to get blocked.
Other option is configuring VPN Filter ACL for the connection but its a bit harder and time consuming to manage.
- Jouni
07-18-2013 06:54 AM
Any documentation / examples show how to put this in place.
Let me also ask if you were installing this site-to-site VPN with another company to move sure data between both parties would you allow access to the whole subnet or lock things down to one or more servers?
Thank you Sir
07-18-2013 07:10 AM
Hi,
In the cases where you are connecting 2 offices of your own company I might have looser access rules but if we are talking about a connection to a 3rd party site then I would use strict rules on what is allowed to connect to my network.
Here is one document on VPN Filter ACLs for both CLient VPN and L2L VPN. Notice that they are configured a bit different way.
Please do remember to mark a reply as the correct answer if you feel it has answered your question.
Naturally feel free to ask more if needed.
- Jouni
07-18-2013 07:12 AM
No problem,
I am actually sitting at work doing both work and CSC at the same time. I might be slightly out of my mind
Well my summer vacations starts after this week though I would imagine that I will be writing here still (as I am slightly out of my mind )
- Jouni
07-18-2013 07:03 AM
Hi steve,
Jouni has given you very wonderful help links. Just to add to his reply and ans your 2nd question, Yes it's possible to lock just 3 of your server for them to have access. For instance say you are using ASA with software 8.3 and higher here is a sample configue of what you need to do for the ACL
access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255
object network 3-SERVERS
host 192.168.1.1
host 192.168.1.2
host 192.168.1.3
object network Remote_office
subnet 172.16.1.0 255.255.255.0
nat(inside,outside) 1 static source 3-SERVERS 3-SERVERS destination static Remote_office Remote_office
this should work for you on ASA softwer 8.3 and higher for software 8.2 and lower this should suffice
access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255
access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255
access-list NO-NAT extended permit ip host 192.168.1.1 0 172.16.1.0 255.255.255.0
access-list NO-NAT extended permit ip host 192.168.1.2 0 172.16.1.0 255.255.255.0
access-list NO-NAT extended permit ip host 192.168.1.3 0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
I believe this would help you out! The rest of the configs, go via the links Jouni sent to you. Have a good one.
Teddy
07-18-2013 07:08 AM
Thank you both for the step-by-step instruction for making this happen.
I'm so blessed to have you both working today and available to help with this.
Thank you very much Guys
07-18-2013 07:19 AM
Hi Steve,
You are most welcome! In my opinion most of the thanks should go to Jouni! I personally would say I've learned a lot from him! Jouni not trying to flatter you but just being honest! You are a blessing to this forum! By the way Jouni enjoy your summer vac! Just a little heads up! I still havent resolved the issue with the vpn so i intend contacting TAC for further assistance.
Have a good one steve.
Cheers
Teddy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: