Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-To_Site_VPN

Hello All,

Need some help with this site-to-site VPN with another company six hundred miles away?

We plan to use a Cisco ASA5505 firewall; on their side they will be using a router for the VPN tunnel.

We are looking for two things with the first being is there step-by-step documentation showing how to create this site-to-site VPN with another company and if so please send the link or PDF.

We also need to know if it's possible after creating the Site-to-site with this company to lock things down by only allowing them access to one or three servers on our network, making things more secure on our network and from prying eyes.

Thank you

  • VPN
5 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Site-To_Site_VPN

Hi,

Here is a link to  video here on Cisco Support Community

https://supportforums.cisco.com/videos/2763

Here is a link to a (older) Cisco document of the same

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Hope this helps

- Jouni

Super Bronze

Site-To_Site_VPN

Oh and also,

On the ASA you can use a command

no sysopt connection permit-vpn

To disable the default setting which would allow all traffic coming through a VPN connection to bypass the "outside" interface ACL. With the above change you would use the "outside" interface ACL to allow and deny traffic even for the traffic coming through the VPN connection.

Naturally if you have some existing VPN connections then you would have to configure ACL rules for those before you change the above setting. Otherwise they would start to get blocked.

Other option is configuring VPN Filter ACL for the connection but its a bit harder and time consuming to manage.

- Jouni

New Member

Site-To_Site_VPN

Hi steve,

Jouni has given you very wonderful help links. Just to add to his reply and ans your 2nd question, Yes it's possible to lock just 3 of your server for them to have access. For instance say you are using ASA with software 8.3 and higher here is a sample configue of what you need to do for the ACL

access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

object network 3-SERVERS

host 192.168.1.1

host 192.168.1.2

host 192.168.1.3

object network Remote_office

subnet 172.16.1.0 255.255.255.0

nat(inside,outside) 1 static source 3-SERVERS 3-SERVERS destination static Remote_office Remote_office

this should work for you on ASA softwer 8.3 and higher  for software 8.2 and lower this should suffice


access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

access-list NO-NAT extended permit ip host 192.168.1.1 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.2 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.3 0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

I believe this would help you out! The rest of the configs, go via the links Jouni sent to you. Have a good one.

Teddy



Super Bronze

Site-To_Site_VPN

No problem,

I am actually sitting at work doing both work and CSC at the same time. I might be slightly out of my mind

Well my summer vacations starts after this week though I would imagine that I will be writing here still (as I am slightly out of my mind )

- Jouni

New Member

Site-To_Site_VPN

Hi Steve,

You are most welcome! In my opinion most of the thanks should go to Jouni! I personally would say I've learned a lot from him! Jouni not trying to flatter you but just being honest! You are a blessing to this forum! By the way Jouni enjoy your summer vac! Just a little heads up! I still havent resolved the issue with the vpn so i intend contacting TAC for further assistance.

Have a good one steve.

Cheers

Teddy

9 REPLIES
Super Bronze

Site-To_Site_VPN

Hi,

Here is a link to  video here on Cisco Support Community

https://supportforums.cisco.com/videos/2763

Here is a link to a (older) Cisco document of the same

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Hope this helps

- Jouni

New Member

Site-To_Site_VPN

Hello Jouni

Nice video explaining step-by-step, thanks for this.

How about locking down the site-to-site VPN giving them access to one or more servers and not the whole subnet, is this possible, do you have a video or documentation / both showing this.

Thank you Sir

Super Bronze

Site-To_Site_VPN

Oh and also,

On the ASA you can use a command

no sysopt connection permit-vpn

To disable the default setting which would allow all traffic coming through a VPN connection to bypass the "outside" interface ACL. With the above change you would use the "outside" interface ACL to allow and deny traffic even for the traffic coming through the VPN connection.

Naturally if you have some existing VPN connections then you would have to configure ACL rules for those before you change the above setting. Otherwise they would start to get blocked.

Other option is configuring VPN Filter ACL for the connection but its a bit harder and time consuming to manage.

- Jouni

New Member

Site-To_Site_VPN

Any documentation / examples show how to put this in place.

Let me also ask if you were installing this site-to-site VPN with another company to move sure data between both parties would you allow access to the whole subnet or lock things down to one or more servers?

Thank you Sir

Super Bronze

Site-To_Site_VPN

Hi,

In the cases where you are connecting 2 offices of your own company I might have looser access rules but if we are talking about a connection to a 3rd party site then I would use strict rules on what is allowed to connect to my network.

Here is one document on VPN Filter ACLs for both CLient VPN and L2L VPN. Notice that they are configured a bit different way.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please do remember to mark a reply as the correct answer if you feel it has answered your question.

Naturally feel free to ask more if needed.

- Jouni

Super Bronze

Site-To_Site_VPN

No problem,

I am actually sitting at work doing both work and CSC at the same time. I might be slightly out of my mind

Well my summer vacations starts after this week though I would imagine that I will be writing here still (as I am slightly out of my mind )

- Jouni

New Member

Site-To_Site_VPN

Hi steve,

Jouni has given you very wonderful help links. Just to add to his reply and ans your 2nd question, Yes it's possible to lock just 3 of your server for them to have access. For instance say you are using ASA with software 8.3 and higher here is a sample configue of what you need to do for the ACL

access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

object network 3-SERVERS

host 192.168.1.1

host 192.168.1.2

host 192.168.1.3

object network Remote_office

subnet 172.16.1.0 255.255.255.0

nat(inside,outside) 1 static source 3-SERVERS 3-SERVERS destination static Remote_office Remote_office

this should work for you on ASA softwer 8.3 and higher  for software 8.2 and lower this should suffice


access-list 3servers extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.255

access-list 3servers extended permit ip host 192.168.1.3 172.16.1.0 255.255.255.255

access-list NO-NAT extended permit ip host 192.168.1.1 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.2 0 172.16.1.0 255.255.255.0

access-list NO-NAT extended permit ip host 192.168.1.3 0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NO-NAT

I believe this would help you out! The rest of the configs, go via the links Jouni sent to you. Have a good one.

Teddy



New Member

Site-To_Site_VPN

Thank you both for the step-by-step instruction for making this happen.

I'm so blessed to have you both working today and available to help with this.

Thank you very much Guys

New Member

Site-To_Site_VPN

Hi Steve,

You are most welcome! In my opinion most of the thanks should go to Jouni! I personally would say I've learned a lot from him! Jouni not trying to flatter you but just being honest! You are a blessing to this forum! By the way Jouni enjoy your summer vac! Just a little heads up! I still havent resolved the issue with the vpn so i intend contacting TAC for further assistance.

Have a good one steve.

Cheers

Teddy

145
Views
5
Helpful
9
Replies