https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005501#M916415 <HTML><HEAD></HEAD><BODY><P>If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop. </P><P></P><P>Using for ISP Tunnel</P><P>tunnel-group 2.2.2.2 type ipsec-l2l</P><P>tunnel-group 2.2.2.2 ipsec-attributes</P><P></P><P>Can you post the commands one by one. Here I am bit confused. Thanks</P></BODY></HTML> Sat, 19 Jul 2008 20:09:58 GMT nikuhappy2010 2008-07-19T20:09:58Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005499#M916410 <P>Hi, I have just estlablished a Site to Site Tunnel between our office and ISP and exempt IP protocol between both end and its working fine, I can access the remote network and they can access my office network as well. Now I want that we access the remote network and access all ports as we are able to access but I dont want that remote site able to access my office network except only 25 port. Please advice. The access list is below mentioned:-</P><P></P><P>access-list outside_cryptomap_3 extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0</P><P>access-list outside_cryptomap_3 extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0</P><P>access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 host 172.17.80.247 255.255.255.0</P><P>access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 host 172.17.80.247 255.255.255.0</P><P></P><P>Office Inside Network 192.168.50.0/24</P><P>Office DMZ Network 192.168.51.0/24</P><P>Remote Network 172.17.80.247/24</P><P></P><P>I also need that I could able to ping remote network machines and servers from office network Inside and DMZ Zones.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 13:17:02 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005499#M916410 nikuhappy2010 2019-03-11T13:17:02Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005500#M916412 <HTML><HEAD></HEAD><BODY><P>no sysopt connection permit-ipsec</P><P></P><P>access-list OUTSIDE-IN permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25 </P><P>access-group OUTSIDE-IN in int outside</P><P></P><P>or another variant</P><P></P><P>under "group-policy x.x.x.x attributes"</P><P>you can use "vpn-filter value ACL"</P><P> configure terminal</P></BODY></HTML> Sat, 19 Jul 2008 20:02:39 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005500#M916412 a.alekseev 2008-07-19T20:02:39Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005501#M916415 <HTML><HEAD></HEAD><BODY><P>If I use this command "no sysopt connection permit-ipsec" then my other tunnels will be stop. </P><P></P><P>Using for ISP Tunnel</P><P>tunnel-group 2.2.2.2 type ipsec-l2l</P><P>tunnel-group 2.2.2.2 ipsec-attributes</P><P></P><P>Can you post the commands one by one. Here I am bit confused. Thanks</P></BODY></HTML> Sat, 19 Jul 2008 20:09:58 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005501#M916415 nikuhappy2010 2008-07-19T20:09:58Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005502#M916419 <HTML><HEAD></HEAD><BODY><P>access-list XXX permit tcp 172.17.80.247 255.255.255.0 192.168.50.0 255.255.254.0 eq 25 </P><P>group-policy x.x.x.x attributes</P><P> vpn-filter value XXX</P><P> </P><P></P></BODY></HTML> Sat, 19 Jul 2008 20:35:34 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005502#M916419 a.alekseev 2008-07-19T20:35:34Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005503#M916421 <HTML><HEAD></HEAD><BODY><P>Hi, we dont need to delete any command as I mentioned and second would like to understand that vpn-filter is a command in ASA.</P></BODY></HTML> Sat, 19 Jul 2008 20:51:50 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005503#M916421 nikuhappy2010 2008-07-19T20:51:50Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005504#M916423 <HTML><HEAD></HEAD><BODY><P>if you want to understand <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>read the configuration guide.</P><P></P><P>vpn-filter </P><P>To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command. </P><P></P><P>You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs. </P><P></P><P>vpn-filter {value ACL name | none} </P><P></P><P>no vpn-filter </P><P></P><P></P></BODY></HTML> Sat, 19 Jul 2008 20:58:27 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005504#M916423 a.alekseev 2008-07-19T20:58:27Z https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005505#M916426 <HTML><HEAD></HEAD><BODY><P>Thanks, last I want to know that is there any other way to do the same process.</P></BODY></HTML> Sat, 19 Jul 2008 21:02:11 GMT https://community.cisco.com/t5/network-security/open-only-one-port-between-site-to-site-tunnel/m-p/1005505#M916426 nikuhappy2010 2008-07-19T21:02:11Z