topic Restricted access for a site-to-site VPN in Network Security

Restricted access for a site-to-site VPN

Rex Biesty — Mon, 11 Mar 2019 10:17:32 GMT

Hi. I'm after some advice. Is there any way to restrict the remote end of a site-to-site VPN connection to certain devices on our network? We use a Pix 515E (v7 s/w). I know how to do it for remote users connecting via Cisco client s/w but not for existing site VPNs. Thanks.

Re: Restricted access for a site-to-site VPN

acomiskey — Mon, 21 May 2007 12:23:43 GMT

How are you doing it for remote access vpn's? You've got several options and they are the same as the ones for your remote access vpns.

For the lan to lan tunnels you could remove sysopt conn permit-ipsec and use interface acls to filter the traffic (will affect all ipsec traffic). You could also be very specific with your interesting traffic and nat exemption acl's to define traffic only to those devices which you wanted remote access.

Re: Restricted access for a site-to-site VPN

Rex Biesty — Mon, 21 May 2007 14:39:46 GMT

Hi and thanks for the reply. Existing restrictions on incoming client VPN connections are achieved by creating a new VPN group, restricting that group to one IP address when they connect then limiting what that IP address can access

(e.g.

vpngroup external_support address-pool pool2

vpngroup external_support dns-server

vpngroup external_support wins-server

vpngroup external_support default-domain

vpngroup external_support idle-time 1800

vpngroup external_support password

ip local pool pool2 10.x.x.1-10.x.x.1 mask 255.255.255.255

nat (inside) 0 access-list nonat

access-list nonat permit ip host host 10.x.x.1

access-list nonat permit ip host host 10.x.x.1)

Currently we have a number of people and companies who connect via client and site VPNs so I'm after a solution which will not affect existing connectivity. Can a similar solution to the one I already use be implemented for site vpns. Thanks.

Re: Restricted access for a site-to-site VPN

acomiskey — Mon, 21 May 2007 14:57:48 GMT

Sure, you can do something like this with interesting traffic...

access-list outside_cryptomap_20 extended permit ip host

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.1

access-list outside_cryptomap_40 extended permit ip host

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer x.x.x.2

Another option is to implement a vpn-filter and apply it to specific tunnel group policies. This document is for remote access vpn's but it works for lan to lan group policies as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Re: Restricted access for a site-to-site VPN

Rex Biesty — Mon, 21 May 2007 15:03:39 GMT

Thanks for the reply. I'll try it out over the next few weeks and let you know if I get stuck